### 简要描述:
6处GET型注射
### 详细说明:
总是看到有人分开刷;我就不一一提交,打包好了!案例其实很多的;前人有一个列出比较多的案例;例如: [WooYun: 某OA系统两处SQL注射到GetShell](http://www.wooyun.org/bugs/wooyun-2014-070214) ;主要影响ZF、Edu、事业单位等...
厂商:
```
http://www.haitiansoft.com:8080/ 海天OA移动办公软件 - 领先的协同办公管理系统解决方案专家
```
六处SQL注入点:(与乌云现有公开记录无重复)
```
/UserInfor/UserInfor.asp?UserName=sa
/UserInfor/BuMenDetail.asp?OAID=1
/message/mytreedata.asp?bumenid=1
/message/BuMenDetail.asp?UserName=chen
/mailClassInfor.asp?OAID=0
/ZhuanTi/TongJi.asp?OAID=1&source=2 OAID存在注入
```
Case:【测试需要禁用Javascript脚本,否则跳转到登录页面】
```
第一处案例:
http://124.65.69.14/UserInfor/UserInfor.asp?UserName=sa
http://vos.tjufe.edu.cn/UserInfor/UserInfor.asp?UserName=sa
http://211.68.250.42/UserInfor/UserInfor.asp?UserName=sa
http://www.fzsyxx.com/oa/UserInfor/UserInfor.asp?UserName=sa
http://oa.ccib.com.cn/UserInfor/UserInfor.asp?UserName=sa
http://www.cnshuiyu.com/UserInfor/UserInfor.asp?UserName=sa
http://oa.tjfsu.edu.cn/UserInfor/UserInfor.asp?UserName=sa
http://116.228.82.237/UserInfor/UserInfor.asp?UserName=sa
http://dfoa.shhjwl.com/UserInfor/UserInfor.asp?UserName=sa
http://www.cnshuiyu.com/UserInfor/UserInfor.asp?UserName=sa
http://180.166.7.94/UserInfor/UserInfor.asp?UserName=sa
http://cqkyoa.oicp.net/UserInfor/UserInfor.asp?UserName=sa
第二处案例:
http://124.65.69.14/UserInfor/BuMenDetail.asp?OAID=1
http://vos.tjufe.edu.cn/UserInfor/BuMenDetail.asp?OAID=1
http://211.68.250.42/UserInfor/BuMenDetail.asp?OAID=1
http://www.fzsyxx.com/oa/UserInfor/BuMenDetail.asp?OAID=1
http://oa.ccib.com.cn/UserInfor/BuMenDetail.asp?OAID=1
http://www.cnshuiyu.com/UserInfor/BuMenDetail.asp?OAID=1
http://oa.tjfsu.edu.cn/UserInfor/BuMenDetail.asp?OAID=1
http://116.228.82.237/UserInfor/BuMenDetail.asp?OAID=1
http://dfoa.shhjwl.com/UserInfor/BuMenDetail.asp?OAID=1
http://www.cnshuiyu.com/UserInfor/BuMenDetail.asp?OAID=1
http://180.166.7.94/UserInfor/BuMenDetail.asp?OAID=1
http://cqkyoa.oicp.net/UserInfor/BuMenDetail.asp?OAID=1
第三处案例:
http://vos.tjufe.edu.cn/message/mytreedata.asp?bumenid=1
http://www.fzsyxx.com/oa/message/mytreedata.asp?bumenid=1
http://oa.ccib.com.cn/message/mytreedata.asp?bumenid=1
http://www.cnshuiyu.com/message/mytreedata.asp?bumenid=1
http://oa.tjfsu.edu.cn/message/mytreedata.asp?bumenid=1
http://dfoa.shhjwl.com/message/mytreedata.asp?bumenid=1
http://www.cnshuiyu.com/message/mytreedata.asp?bumenid=1
http://180.166.7.94/message/mytreedata.asp?bumenid=1
http://cqkyoa.oicp.net/message/mytreedata.asp?bumenid=1
第四处案例:
http://vos.tjufe.edu.cn/message/BuMenDetail.asp?UserName=chen
http://www.fzsyxx.com/oa/message/BuMenDetail.asp?UserName=chen
http://oa.ccib.com.cn/message/BuMenDetail.asp?UserName=chen
http://www.cnshuiyu.com/message/BuMenDetail.asp?UserName=chen
http://oa.tjfsu.edu.cn/message/BuMenDetail.asp?UserName=chen
http://dfoa.shhjwl.com/message/BuMenDetail.asp?UserName=chen
http://www.cnshuiyu.com/message/BuMenDetail.asp?UserName=chen
http://180.166.7.94/message/BuMenDetail.asp?UserName=chen
http://cqkyoa.oicp.net/message/BuMenDetail.asp?UserName=chen
第五处案例:
http://124.65.69.14/mailClassInfor.asp?OAID=0
http://vos.tjufe.edu.cn/mailClassInfor.asp?OAID=0
http://211.68.250.42/mailClassInfor.asp?OAID=0
http://www.fzsyxx.com/oa/mailClassInfor.asp?OAID=0
http://oa.ccib.com.cn/mailClassInfor.asp?OAID=0
http://www.cnshuiyu.com/mailClassInfor.asp?OAID=0
http://oa.tjfsu.edu.cn/mailClassInfor.asp?OAID=0
http://116.228.82.237/mailClassInfor.asp?OAID=0
http://dfoa.shhjwl.com/mailClassInfor.asp?OAID=0
http://www.cnshuiyu.com/mailClassInfor.asp?OAID=0
http://180.166.7.94/mailClassInfor.asp?OAID=0
http://cqkyoa.oicp.net/mailClassInfor.asp?OAID=0
第六处案例:
http://124.65.69.14/ZhuanTi/TongJi.asp?OAID=1&source=2
http://vos.tjufe.edu.cn/ZhuanTi/TongJi.asp?OAID=1&source=2
http://211.68.250.42/ZhuanTi/TongJi.asp?OAID=1&source=2
http://www.fzsyxx.com/oa/ZhuanTi/TongJi.asp?OAID=1&source=2
http://oa.ccib.com.cn/ZhuanTi/TongJi.asp?OAID=1&source=2
http://www.cnshuiyu.com/ZhuanTi/TongJi.asp?OAID=1&source=2
http://oa.tjfsu.edu.cn/ZhuanTi/TongJi.asp?OAID=1&source=2
http://116.228.82.237/ZhuanTi/TongJi.asp?OAID=1&source=2
http://dfoa.shhjwl.com/ZhuanTi/TongJi.asp?OAID=1&source=2
http://www.cnshuiyu.com/ZhuanTi/TongJi.asp?OAID=1&source=2
http://180.166.7.94/ZhuanTi/TongJi.asp?OAID=1&source=2
http://cqkyoa.oicp.net/ZhuanTi/TongJi.asp?OAID=1&source=2
```
### 漏洞证明:
分别随机案例测试:
```
1、第一处:/UserInfor/UserInfor.asp?UserName=sa
```
[<img src="https://images.seebug.org/upload/201506/03183524c3b255e14a3bcf2b39389285dc893d48.png" alt="01.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/03183524c3b255e14a3bcf2b39389285dc893d48.png)
```
2、第二处:/UserInfor/BuMenDetail.asp?OAID=66
```
[<img src="https://images.seebug.org/upload/201506/031845393128c6c7b4a9795304f609f465db1266.png" alt="02.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/031845393128c6c7b4a9795304f609f465db1266.png)
```
3、第三处:/message/mytreedata.asp?bumenid=1
```
[<img src="https://images.seebug.org/upload/201506/03185129a3bcf473896f17464e67b27e17388e4d.png" alt="03.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/03185129a3bcf473896f17464e67b27e17388e4d.png)
```
4、第四处:/message/BuMenDetail.asp?UserName=chen
```
[<img src="https://images.seebug.org/upload/201506/031856467fb60809c990935ac644f0850e2116a4.png" alt="04.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/031856467fb60809c990935ac644f0850e2116a4.png)
```
5、/mailClassInfor.asp?OAID=0
```
[<img src="https://images.seebug.org/upload/201506/03185926a90af58049b2e81f5641b49666bfcbe8.png" alt="05.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/03185926a90af58049b2e81f5641b49666bfcbe8.png)
```
6、/ZhuanTi/TongJi.asp?OAID=1&source=2
```
[<img src="https://images.seebug.org/upload/201506/03190319e0c6d347e7f322645f4ab4a2341b8c6f.png" alt="06.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/03190319e0c6d347e7f322645f4ab4a2341b8c6f.png)
```
```
京公网安备 11010502034610号
暂无评论