### 简要描述:
华天动力OA系统弱口令加任意文件上传,分秒钟沦陷服务器
### 详细说明:
华天动力OA系统默认存在弱口令用户,登录弱口令用户后可上传任意文件,直接拿shell,并且由于系统数据库是root,权限很高,服务器直接沦陷
### 漏洞证明:
1.下载华天最新版OA
http://software.oa8000.com/download/Version/V7.0/11-TAMYSQL5D-%E8%AF%95%E7%94%A8%E7%89%88%E5%B8%A6%E6%95%B0%E6%8D%AE%E4%B8%89%E5%90%88%E4%B8%80(MYSQL)PUE-7.0-2015-06-29.exe
下载下来之后是一个封装好的exe文件,里面包括tomcat mysql jdk等,而且安装后系统的配置都已经配置好了,如果客户没有针对性的做配置修改,那么所有的客户的配置都是一样的。
[<img src="https://images.seebug.org/upload/201507/26101440290d0400ff587acb7eef5c38d8c7fef3.png" alt="QQ截图20150726101408.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/26101440290d0400ff587acb7eef5c38d8c7fef3.png)
2.连接数据库查看用户表,里面有很多默认用户,用户密码都是123456
[<img src="https://images.seebug.org/upload/201507/26101600f7e422f7a5f270e4e92ee4a729a8730b.png" alt="QQ截图20150726101544.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/26101600f7e422f7a5f270e4e92ee4a729a8730b.png)
在网上随便找了一个客户:http://globallz.com/OAapp/WebObjects/OAapp.woa
用户名user
密码123456
3.在下载中心,有一个上传zip文件的功能,上传的zip的文件会直接放到/htoa/temp目录下面,由于上传处理机制上面有问题,可以导致上传任何文件
[<img src="https://images.seebug.org/upload/201507/2610170172614dfcf14b2be5239385adc0f43db3.png" alt="QQ截图20150726101641.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/2610170172614dfcf14b2be5239385adc0f43db3.png)
[<img src="https://images.seebug.org/upload/201507/261020189cb1418d2f67ea9da58ed98bcbd7454a.png" alt="QQ截图20150726101955.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/261020189cb1418d2f67ea9da58ed98bcbd7454a.png)
[<img src="https://images.seebug.org/upload/201507/2610232707041a764ac590838c869a04681307c1.png" alt="QQ截图20150726102258.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/2610232707041a764ac590838c869a04681307c1.png)
然后会在temp目录下面生成一个one.jsp的文件
[<img src="https://images.seebug.org/upload/201507/261024147f06f7010d3bfe69cb6b934453a0a9c3.png" alt="QQ截图20150726102348.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/261024147f06f7010d3bfe69cb6b934453a0a9c3.png)
用菜刀即可连接成功
[<img src="https://images.seebug.org/upload/201507/26102451f0cbc4c375c791b5cf4aee3465819259.png" alt="QQ截图20150726102426.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/26102451f0cbc4c375c791b5cf4aee3465819259.png)
注:上传的脚本已经删除
4.通过测试,发现华天
OA8000平台版 OA8000企业版 OA8000增强版 OA8000旗舰版
都存在该漏洞,而且通杀所有版本。
5.系统默认是以system权限运行的,最高权限哦,无须提权(以本地为例演示)
[<img src="https://images.seebug.org/upload/201507/2610260776261cb048b505139e3dca3f1c6b91d8.png" alt="QQ截图20150726102530.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/2610260776261cb048b505139e3dca3f1c6b91d8.png)
[<img src="https://images.seebug.org/upload/201507/261026138997b9554726a058f247d3d36a70aeb2.png" alt="QQ截图20150726102551.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/261026138997b9554726a058f247d3d36a70aeb2.png)
6.最后看看该OA系统使用客户
http://www.oa8000.com/solution.htm(客户太多,只截部分图片,可直接查看url)
[<img src="https://images.seebug.org/upload/201507/261027308b443b43f95b49ea75734e0eee59e27c.png" alt="QQ截图20150726102651.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/261027308b443b43f95b49ea75734e0eee59e27c.png)
[<img src="https://images.seebug.org/upload/201507/261027478e72e0ced521b46f48f52bd5fa45410d.png" alt="QQ截图20150726102703.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/261027478e72e0ced521b46f48f52bd5fa45410d.png)
[<img src="https://images.seebug.org/upload/201507/26102757f064809f4c699caec2a0894ad628fbcd.png" alt="QQ截图20150726102714.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/26102757f064809f4c699caec2a0894ad628fbcd.png)
7.网上随便搜了30几个案例,几乎都存在弱口令
[<img src="https://images.seebug.org/upload/201507/26102838a282ecb5d94e3c25f4520ef223189db6.png" alt="QQ截图20150726102822.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/26102838a282ecb5d94e3c25f4520ef223189db6.png)
http://oa.cnwzhd.com:8088 systemadmin/123456
http://218.9.73.245:8088 user/123456
http://oa.liangyungroup.com:8088 systemadmin/123456
http://61.189.63.58 user/123456
http://www.dles.cn:8080 user/123456
http://221.231.10.244/OAapp/WebObjects/OAapp.woa user/123456
http://globallz.com user/123456
http://www.syxhh.cn:8080 user/123456
http://www.dles.cn:8080 user/123456
http://221.228.237.146:8686 user/123456
http://www.hnme168.net/ user/123456
http://112.124.44.36 admin/123456
http://218.24.172.158:8080/ admin/123456
http://www.hxnme.cn user/123456
http://58.241.8.22:86 user/123456
http://114.215.106.138 systemadmin/123456
http://182.92.159.82 user/123456
http://112.124.64.35 user/123456
http://114.215.172.99 user/123456
http://1.202.139.102 user/123456
http://202.103.249.75:6060 systemadmin/123456
http://122.102.11.73:8080 systemadmin/123456
http://110.73.182.155:8080/ user/123456
http://112.124.64.35/ user/123456
http://www.hxnme.com.cn user/123456
http://61.145.97.202 user/123456
http://113.140.6.62:8001 user/123456
http://59.46.124.99:8080 systemadmin/123456
http://60.173.128.230:8082 systemadmin/123456
http://112.25.215.179:88/ systemadmin/123456
http://115.239.234.222:1999 systemadmin/123456
http://218.15.43.68:8888/ systemadmin/123456
京公网安备 11010502034610号
暂无评论