|泛微协同商务系统e-cology某处SQL注入（附验证中转脚本）

泛微协同商务系统e-cology某处SQL注入（附验证中转脚本）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： RT ### 详细说明：官网http://**.**.**.**//services/ [<img src="https://images.seebug.org/upload/201601/12174730be5ad63fc1d94d31fa93eda9c63ae85f.jpg" alt="Snap259.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12174730be5ad63fc1d94d31fa93eda9c63ae85f.jpg) 随便找个吧以http://**.**.**.**//services/MobileService?wsdl为例使用wvs checkUserLogin方法三个参数分别为字符型、字符型和数字 [<img src="https://images.seebug.org/upload/201601/12175720b965cbaf287a6892300b2848f90855ac.jpg" alt="Snap260.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12175720b965cbaf287a6892300b2848f90855ac.jpg) [<img src="https://images.seebug.org/upload/201601/12175732db6bf37b2318c16c9d27f746e2661514.jpg" alt="Snap261.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12175732db6bf37b2318c16c9d27f746e2661514.jpg) [<img src="https://images.seebug.org/upload/201601/121757405862f1e9b87894e634004a41e1f03706.jpg" alt="Snap262.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121757405862f1e9b87894e634004a41e1f03706.jpg) [<img src="https://images.seebug.org/upload/201601/1217574795db1e21f19790ece71a9eb65887a219.jpg" alt="Snap263.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/1217574795db1e21f19790ece71a9eb65887a219.jpg) 正确的时候返回3 错误返回4 （本想采用抓包工具（WSockExpert ）使用某度搜索了一个评分还挺高结果系统多了个某度影音和某度输入法）还是后来使用中转吧 [<img src="https://images.seebug.org/upload/201601/121831232d879776adddf2456062872ac94a03e4.jpg" alt="Snap264.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121831232d879776adddf2456062872ac94a03e4.jpg) [<img src="https://images.seebug.org/upload/201601/121831561c0fe901f2b7ba091feacf3993b5eb6d.jpg" alt="Snap265.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121831561c0fe901f2b7ba091feacf3993b5eb6d.jpg) 看用户长度 [<img src="https://images.seebug.org/upload/201601/12183213beab904d561d33bf9de2fb0d62529c45.jpg" alt="Snap266.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12183213beab904d561d33bf9de2fb0d62529c45.jpg) [<img src="https://images.seebug.org/upload/201601/121832581c309d1152b9f26117ce2f3c6c483347.jpg" alt="Snap268.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121832581c309d1152b9f26117ce2f3c6c483347.jpg) 只用了checkuserlogin作为验证其他请自查案例部分真麻烦直接用中转脚本的话分不清到底是哪个网站 ### 漏洞证明：五个案例案例一：http://**.**.**.**/services/MobileService?wsdl 经测试发现正确返回5 错误返回4 判读长度用length 截取字符串用substr 部分截图如下 [<img src="https://images.seebug.org/upload/201601/1218560042d3d026ef755e625326615ddb3d8b86.jpg" alt="Snap269.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/1218560042d3d026ef755e625326615ddb3d8b86.jpg) [<img src="https://images.seebug.org/upload/201601/121856161181e587df7ead53b259b15b7dbc76d9.jpg" alt="Snap270.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121856161181e587df7ead53b259b15b7dbc76d9.jpg) [<img src="https://images.seebug.org/upload/201601/1218562400a99f106f5a8e03d15f1108045cd438.jpg" alt="Snap271.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/1218562400a99f106f5a8e03d15f1108045cd438.jpg) ----------------- 案例二：http://**.**.**.**/services/MobileService?wsdl 正确返回5 错误返回4 判断长度用len [<img src="https://images.seebug.org/upload/201601/12190605e0bf5488ee63a787f6903b70a08c3527.jpg" alt="Snap272.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12190605e0bf5488ee63a787f6903b70a08c3527.jpg) [<img src="https://images.seebug.org/upload/201601/12190614573f5c5aa64164f3df63de205a80a8c0.jpg" alt="Snap273.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12190614573f5c5aa64164f3df63de205a80a8c0.jpg) [<img src="https://images.seebug.org/upload/201601/12190620a205f88a604d978e1017a7b741407dcd.jpg" alt="Snap274.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12190620a205f88a604d978e1017a7b741407dcd.jpg) [<img src="https://images.seebug.org/upload/201601/12190627daf24710784046dd7b6a7c3e2dbf9954.jpg" alt="Snap275.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12190627daf24710784046dd7b6a7c3e2dbf9954.jpg) ---------- 案例三：http://**.**.**.**/services/MobileService?wsdl [<img src="https://images.seebug.org/upload/201601/12191156cffcee17edc0b1b36ef411f6fc6c0a4d.jpg" alt="Snap276.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12191156cffcee17edc0b1b36ef411f6fc6c0a4d.jpg) [<img src="https://images.seebug.org/upload/201601/121917379bbb089f3a4be16bb78475e3540766d0.jpg" alt="Snap278.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121917379bbb089f3a4be16bb78475e3540766d0.jpg) [<img src="https://images.seebug.org/upload/201601/121917452e0390786e09577a9ab7794baaa3c0d9.jpg" alt="Snap279.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121917452e0390786e09577a9ab7794baaa3c0d9.jpg) -------- 案例四万达**.**.**.**:88/services/MobileService?wsdl [<img src="https://images.seebug.org/upload/201601/12193321e4551b20a596a84619b38d44aa1ca32c.jpg" alt="Snap281.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12193321e4551b20a596a84619b38d44aa1ca32c.jpg) [<img src="https://images.seebug.org/upload/201601/12193331af1b6fca73adf435682a32d1d284e60a.jpg" alt="Snap280.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12193331af1b6fca73adf435682a32d1d284e60a.jpg) [<img src="https://images.seebug.org/upload/201601/1219342980cf9e05fedd24c769164af60a26c814.jpg" alt="Snap282.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/1219342980cf9e05fedd24c769164af60a26c814.jpg) -------------- 案例五天天果园http://**.**.**.**:88/services/MobileService?wsdl [<img src="https://images.seebug.org/upload/201601/1219354138759d3f1c340991d7eeaeccad6ba66a.jpg" alt="Snap283.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/1219354138759d3f1c340991d7eeaeccad6ba66a.jpg) [<img src="https://images.seebug.org/upload/201601/12193817f03f8db841d69364067dfa2be49fcd62.jpg" alt="Snap285.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/12193817f03f8db841d69364067dfa2be49fcd62.jpg) [<img src="https://images.seebug.org/upload/201601/121937073aad35caee5bd423a8acc8eca44b44ba.jpg" alt="Snap284.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201601/121937073aad35caee5bd423a8acc8eca44b44ba.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™