用友某重要系统严重漏洞（泄露源码、员工账号密码等等）

来源

http://wooyun.org/bugs/wooyun-2015-0109249

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述：通过一个废弃系统成功入侵并发现泄露大部分应有源码等 ### 详细说明：首先该系统存在弱口令 http://vip.ufida.com.cn/nccsm/HomePage.aspx test1 123456 还存在大量123456的弱口令 [<img src="https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg" alt="弱口令账户.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg) [<img src="https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png) [<img src="https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png) 系统存在注入 [<img src="https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png) [<img src="https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png) [<img src="https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png) 通过注入获取数据拿到admin密码并登陆 [<img src="https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png) 在后台上传shell [<img src="https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png) 找到配置文件并进行数据库连接 [<img src="https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png) 收集下员工表， [<img src="https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png) 来到用友tkr系统利用之前搜集的账号密码尝试登录发现某些用户可以登录 [<img src="https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png) 可以利用上传知识页面进行shell上传 [<img src="https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png) [<img src="https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png) [<img src="https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png) ，审计登录源码发现该系统存在万能密码，利用该密码可以登录任意用户 [<img src="https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png) ``` protected void btnLogin_Click(object sender, EventArgs e) { string URL = "Default.aspx"; if (!String.IsNullOrEmpty(Request.QueryString["PreviouseURL"])) URL = Server.UrlDecode(Request.QueryString["PreviouseURL"]); string UserName = TextBox1.Text.Trim(); string Password = TextBox2.Text.Trim(); bool IsSuccessful = false; string Remark = ""; //涓囪兘瀵嗙爜鐧诲綍 if (!String.IsNullOrEmpty(UserName) && Password == "tkr*123") { Authority.Instance.LoginByDomainAccount(UserName); Response.Redirect(URL); } else { SEAPersonService PersonService = new SEAPersonService(); PersonInfo psn = new PersonInfo(); if (rdoType1.Checked) { psn = PersonService.LoginByDomainAccountWithPassword("pdomain", UserName, Password); } else { psn = PersonService.LoginByUserName(UserName, Password); } ``` 该系统涉及用友所有产品，基本涉及全部源码，不过需要自己去寻找 [<img src="https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png) [<img src="https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png) [<img src="https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png" alt="17.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png) ### 漏洞证明：首先该系统存在弱口令 http://vip.ufida.com.cn/nccsm/HomePage.aspx test1 123456 还存在大量123456的弱口令 [<img src="https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg" alt="弱口令账户.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg) [<img src="https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png) [<img src="https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png) 系统存在注入 [<img src="https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png) [<img src="https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png) [<img src="https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png) 通过注入获取数据拿到admin密码并登陆 [<img src="https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png) 在后台上传shell [<img src="https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png) 找到配置文件并进行数据库连接 [<img src="https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png) 收集下员工表， [<img src="https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png) 来到用友tkr系统利用之前搜集的账号密码尝试登录发现某些用户可以登录 [<img src="https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png) 可以利用上传知识页面进行shell上传 [<img src="https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png) [<img src="https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png) [<img src="https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png) ，审计登录源码发现该系统存在万能密码，利用该密码可以登录任意用户 [<img src="https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png) ``` protected void btnLogin_Click(object sender, EventArgs e) { string URL = "Default.aspx"; if (!String.IsNullOrEmpty(Request.QueryString["PreviouseURL"])) URL = Server.UrlDecode(Request.QueryString["PreviouseURL"]); string UserName = TextBox1.Text.Trim(); string Password = TextBox2.Text.Trim(); bool IsSuccessful = false; string Remark = ""; //涓囪兘瀵嗙爜鐧诲綍 if (!String.IsNullOrEmpty(UserName) && Password == "tkr*123") { Authority.Instance.LoginByDomainAccount(UserName); Response.Redirect(URL); } else { SEAPersonService PersonService = new SEAPersonService(); PersonInfo psn = new PersonInfo(); if (rdoType1.Checked) { psn = PersonService.LoginByDomainAccountWithPassword("pdomain", UserName, Password); } else { psn = PersonService.LoginByUserName(UserName, Password); } ``` 该系统涉及用友所有产品，基本涉及全部源码，不过需要自己去寻找 [<img src="https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png) [<img src="https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png) [<img src="https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png" alt="17.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png)

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-0109249

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

用友某重要系统严重漏洞（泄露源码、员工账号密码等等）

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

用友某重要系统严重漏洞（泄露源码、员工账号密码等等）

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定