Ecology OA system improperly filters incoming data from users, resulting in a SQL injection vulnerability. Remote and unauthenticated attackers can use this vulnerability to conduct SQL injection attacks and steal sensitive database information.
PoC代码[已公开]
id: weaver-checkserver-sqli
info:
name: Ecology OA CheckServer - SQL Injection
author: SleepingBag945
severity: high
description: |
Ecology OA system improperly filters incoming data from users, resulting in a SQL injection vulnerability. Remote and unauthenticated attackers can use this vulnerability to conduct SQL injection attacks and steal sensitive database information.
reference:
- https://stack.chaitin.com/techblog/detail?id=81
- https://github.com/lal0ne/vulnerability/blob/main/%E6%B3%9B%E5%BE%AE/E-Cology/CheckServer/README.md
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-ecology-oa-plugin-checkserver-setting-sqli.yaml
classification:
cpe: cpe:2.3:a:weaver:e-cology:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: weaver
product: e-cology
fofa-query: app="泛微-协同办公OA"
tags: weaver,ecology,sqli,vuln
http:
- method: GET
path:
- "{{BaseURL}}/mobile/plugin/CheckServer.jsp?type=mobileSetting"
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_all(header, 'application/json','ecology_')"
- contains(body, 'error\":\"system error') && !contains(body, 'securityIntercept')
condition: and
# digest: 490a00463044022046b92393073ab0716495c1377768c7441c52224ddafe10797eecd1828dfbdaf902202ac0e8c36db528c4d1113628465f95fba5d62d3da45e01c0520fd6f95370970a:922c64590222798bb761d5b6d8e72950