用友软件协作办公平台通用DBA权限SQL注入漏洞

2014-08-14T00:00:00
ID SSV:93237
Type seebug
Reporter Root
Modified 2014-08-14T00:00:00

Description

简要描述:

RT

详细说明:

sys\sortListUI.jsp

``` String done=request.getParameter("done"); String nodeId=request.getParameter("nodeId"); String strWhere=""; String id=request.getParameter("id"); String srcName = BaseFunc.ISOToGBK(request.getParameter("srcName"));//注入点 String searchKey = StringUtil.NullToEmpty(BaseFunc.ISOToGBK(request.getParameter("searchKeyvalue")));//注入点 srcName = "".equals(srcName)|| "null".equals(srcName) || srcName==null?"":srcName; String lx=request.getParameter("lx");//0为分类项;1提示项 lx = "".equals(lx)|| "null".equals(lx) || lx==null?"0":lx; id = "".equals(id)|| "null".equals(id) || lx==null?"0":id; Sort sort= (Sort)ResourceManage.getContext("sort"); FieldSet fs=new WebFieldSet();

if("delete".equals(done)){ id=StringUtil.NullToEmpty(id).equals("")?"0":id;

  int row=sort.deleteSort(Integer.parseInt(id));

} DataTable DT; if(!searchKey.equals("")){ strWhere = "(SI03 like'"+srcName+"%' and SI10='"+lx+"') or SI01 like'%"+searchKey+"%' or SI02 like'%"+searchKey+"%'";//拼接 DT=sort.getSortByWhere(strWhere,1,100,lx);//带入查询 }else{ DT=sort.getSortByName(srcName+"/",lx); } ```

漏洞证明:

1.http://www.elkay.com.cn/sys/sortListUI.jsp?searchKeyvalue=*

<img src="https://images.seebug.org/upload/201408/13231142562d1947a756b34f161ee25395aecbb1.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

2.http://oa.danzi.com.cn:9090/sys/sortListUI.jsp?searchKeyvalue=*

<img src="https://images.seebug.org/upload/201408/13231839b95afb939e393dd95b4da37cd9f62d92.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

3.http://fsd2014.f3322.org:9090/sys/sortListUI.jsp?searchKeyvalue=*

<img src="https://images.seebug.org/upload/201408/13231913d71f26e580f5c429539fe93531a422ca.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

4.http://220.168.210.109:9090/sys/sortListUI.jsp?searchKeyvalue=*

<img src="https://images.seebug.org/upload/201408/132322478c0c3188cbcaca86a195f72e9be234f0.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

5.http://oa.shunhengli.com:9090/sys/sortListUI.jsp?searchKeyvalue=*

<img src="https://images.seebug.org/upload/201408/132324546b47bcb66218153cd4a6bb75e9997cfb.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">