用友协作办公平台通用多处SQL注入

2014-08-13T00:00:00
ID SSV:93238
Type seebug
Reporter Root
Modified 2014-08-13T00:00:00

Description

简要描述:

RT

详细说明:

开发公司:用友软件 程序名称:FE协作办公平台 漏洞类型:SQL注入(GET) 漏洞文件:assetsGroupReport目录下多文件存在注入

/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01 /assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01 /assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01 /assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01 /assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01 /assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01 /assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

漏洞参数:unitCode 是否需要登录:否 关键字:intitle:FE协作办公平台 涉及版本:5.5.2/5.5版本 第一处: /assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01 源码分析一下:

<% User user = (User) ResourceManage.getSession("User"); String unitCode=request.getParameter("unitCode"); String cVenCode=request.getParameter("cVenCode"); String startDate=request.getParameter("startDate"); String endDate=request.getParameter("endDate"); if(unitCode==null || "".equals(unitCode)){ unitCode=user.getUnitId().toString(); } if(cVenCode==null || "".equals(cVenCode)){ cVenCode=HtmlFormat.format(""); } if(startDate==null || "".equals(startDate)){ startDate=HtmlFormat.format(""); } if(endDate==null || "".equals(endDate)){ endDate=HtmlFormat.format(new Date()); } FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far"); DataTable dt=far.getVendorContacts(cVenCode,startDate,endDate,unitCode);//参数带入getVendorContacts方法,未过滤 %>

跟踪到getVendorContacts

public DataTable getVendorContacts(String vCode, String startDate, String endDate, String unitCode) { String sql = ""; if (1 == this.dao.getDataBaseType()) { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,v.VENDOR_NAME,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(h.BUY_DATE,'yyyy-MM-dd') BUY_DATE from " + this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t," + this.dao.getTableName("VENDOR_INFO") + " v " + " where t.TYPE_CODE=h.ASSETS_TYPE and v.VENDOR_CODE=h.VENDOR_NAME and h.FIXED_TYPE='1' "; } else { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,v.VENDOR_NAME,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE from " + this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t," + this.dao.getTableName("VENDOR_INFO") + " v " + " where t.TYPE_CODE=h.ASSETS_TYPE and v.VENDOR_CODE=h.VENDOR_NAME and h.FIXED_TYPE='1' "; } if ((unitCode != null) && (!"".equals(unitCode))) {//参数只判断是否为null,就带入SQL语句了,注入产生 sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'"; } if ((vCode != null) && (!"".equals(vCode))) { sql = sql + " and v.VENDOR_CODE='" + vCode + "'"; } if ((startDate != null) && (!"".equals(startDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) "; } } if ((endDate != null) && (!"".equals(endDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) "; } } return this.dao.getDataTable(sql, 1, 2147483647); }

实例演示: 1. FE协作办公平台 5.5.2 http://oa.hzuf.com:9090//assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/122215095be0418ae7ecc3f708fecbe11064daf8.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

  1. FE协作办公平台 5.5 http://oa.peizheng.net.cn/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/12221605afd9b5681bfed010ced2433c293fe0d1.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

第二处: /assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01 代码分析:

&lt;% User user = (User) ResourceManage.getSession("User"); String unitCode=request.getParameter("unitCode"); String deptCode=request.getParameter("deptCode"); String startDate=request.getParameter("startDate"); String endDate=request.getParameter("endDate"); String key=request.getParameter("key"); if(unitCode==null || "".equals(unitCode)){ unitCode=user.getUnitId().toString(); } if(deptCode==null || "".equals(deptCode)){ deptCode=HtmlFormat.format(""); } if(key==null || "".equals(key)){ key=HtmlFormat.format(""); } if(startDate==null || "".equals(startDate)){ startDate=HtmlFormat.format(""); } if(endDate==null || "".equals(endDate)){ endDate=HtmlFormat.format(new Date()); } FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far"); DataTable dt=far.getNoFixedAssetsList(deptCode,startDate,endDate,key,unitCode);//这里参数带入了getNoFixedAssetsList方法,之前未作过滤处理 %&gt;

跟踪到getNoFixedAssetsList方法体:

public DataTable getNoFixedAssetsList(String detpNo, String startDate, String endDate, String key, String unitCode) { String sql = ""; if (1 == this.dao.getDataBaseType()) { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(h.BUY_DATE,'yyyy-MM-dd') BUY_DATE,SU02,h.LOCATION from " + this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='0' and h.ASSETS_STATUS&lt;4 "; } else { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE,SU02,h.LOCATION from " + this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='0' and h.ASSETS_STATUS&lt;4 "; } if ((unitCode != null) && (!"".equals(unitCode))) {//这里只是判断是否为null,就带入SQL语句了,导致注入 sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'"; } if ((detpNo != null) && (!"".equals(detpNo))) { sql = sql + " and SG00='" + detpNo + "'"; } if ((startDate != null) && (!"".equals(startDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')&gt;=substr('" + startDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)&gt;=Convert(varchar(10),'" + startDate + "',120) "; } } if ((endDate != null) && (!"".equals(endDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')&lt;=substr('" + endDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)&lt;=Convert(varchar(10),'" + endDate + "',120) "; } } if ((key != null) && (!"".equals(key))) { sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')"; } sql = sql + " order by SG02,BUY_DATE"; return this.dao.getDataTable(sql, 1, 2147483647); }

实例演示; 1. FE协作办公平台 5.5.2 http://oa.hzuf.com:9090/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/122219251dbee738728cf0124ddee00663d1665e.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

文件参数有区别,只能这样证明不同文件了 2. FE协作办公平台 5.5 http://oa.peizheng.net.cn/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/122220483e8f513c86a34ca3dc25b638e900e477.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

第三处: /assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01 代码分析:

&lt;% User user = (User) ResourceManage.getSession("User"); String unitCode=request.getParameter("unitCode"); String deptCode=request.getParameter("deptCode"); String startDate=request.getParameter("startDate"); String endDate=request.getParameter("endDate"); String key=request.getParameter("key"); if(unitCode==null || "".equals(unitCode)){ unitCode=user.getUnitId().toString(); } if(deptCode==null || "".equals(deptCode)){ deptCode=HtmlFormat.format(""); } if(key==null || "".equals(key)){ key=HtmlFormat.format(""); } if(startDate==null || "".equals(startDate)){ startDate=HtmlFormat.format(""); } if(endDate==null || "".equals(endDate)){ endDate=HtmlFormat.format(new Date()); } FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far"); DataTable dt=far.getAssetsScrapList(deptCode,startDate,endDate,key,unitCode);//参数未过滤带入getAssetsScrapList方法 %&gt;

跟踪到getAssetsScrapList方法体:

public DataTable getAssetsScrapList(String detpNo, String startDate, String endDate, String key, String unitCode) { String sql = ""; if (1 == this.dao.getDataBaseType()) { sql = "select h.ID,SG02,SU02,h.ASSETS_NAME,s.TYPE,(CASE WHEN s.ASSETS_TYPE=1 THEN '是固定资产' ELSE '非固定资产' END)as ASSETS_TYPE,s.ASSETS_NO,s.NORM_MODEL,s.MANUFACTURER,s.BUY_DATE,s.USE_DATE,s.USE_YEAR,s.ASSETS_VALUE,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE from " + this.dao.getTableName("ASSETS_SCRAP") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP,SYS_USERS " + " where s.ASSETS_ID=h.ID and s.APPLY_DEPT=SG00 and h.USE_USER=SU00 and s.STATUS=2 "; } else { sql = "select h.ID,SG02,SU02,h.ASSETS_NAME,s.TYPE,(CASE WHEN s.ASSETS_TYPE=1 THEN '是固定资产' ELSE '非固定资产' END)as ASSETS_TYPE,s.ASSETS_NO,s.NORM_MODEL,s.MANUFACTURER,s.BUY_DATE,s.USE_DATE,s.USE_YEAR,s.ASSETS_VALUE,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE from " + this.dao.getTableName("ASSETS_SCRAP") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP,SYS_USERS " + " where s.ASSETS_ID=h.ID and s.APPLY_DEPT=SG00 and h.USE_USER=SU00 and s.STATUS=2 "; } if ((unitCode != null) && (!"".equals(unitCode))) { //这里通用只是判断是否为null,就带入SQL语句拼接了,注入产生 sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'"; } if ((detpNo != null) && (!"".equals(detpNo))) { sql = sql + " and SG00='" + detpNo + "'"; } if ((startDate != null) && (!"".equals(startDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')&gt;=substr('" + startDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)&gt;=Convert(varchar(10),'" + startDate + "',120) "; } } if ((endDate != null) && (!"".equals(endDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')&lt;=substr('" + endDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)&lt;=Convert(varchar(10),'" + endDate + "',120) "; } } if ((key != null) && (!"".equals(key))) { sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')"; } sql = sql + " order by SG00,APPLY_DATE"; return this.dao.getDataTable(sql, 1, 2147483647); } }

实例演示: 1. FE协作办公平台 5.5.2 http://oa.hzuf.com:9090/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/122222477dda1f9d5f5d0a98d2055813e9b63cb0.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

  1. FE协作办公平台 5.5 http://oa.peizheng.net.cn/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/12222531fdc3cb0cc839628842516227a77a96b7.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

第四处: /assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01 源码分析:

&lt;% User user = (User) ResourceManage.getSession("User"); String unitCode=request.getParameter("unitCode"); String deptCode=request.getParameter("deptCode"); String startDate=request.getParameter("startDate"); String endDate=request.getParameter("endDate"); String key=request.getParameter("key"); if(unitCode==null || "".equals(unitCode)){ unitCode=user.getUnitId().toString(); } if(deptCode==null || "".equals(deptCode)){ deptCode=HtmlFormat.format(""); } if(key==null || "".equals(key)){ key=HtmlFormat.format(""); } if(startDate==null || "".equals(startDate)){ startDate=HtmlFormat.format(""); } if(endDate==null || "".equals(endDate)){ endDate=HtmlFormat.format(new Date()); } FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far"); DataTable dt=far.getFixedAssetsList(deptCode,startDate,endDate,key,unitCode);//参数直接带入getFixedAssetsList方法 %&gt;

跟踪到getFixedAssetsList方法体:

public DataTable getFixedAssetsList(String detpNo, String startDate, String endDate, String key, String unitCode) { String sql = ""; if (1 == this.dao.getDataBaseType()) { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(BUY_DATE,'yyyy-MM-dd') BUY_DATE,SU02,h.LOCATION from " + this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='1' and h.ASSETS_STATUS&lt;4 "; } else { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE,SU02,h.LOCATION from " + this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='1' and h.ASSETS_STATUS&lt;4 "; } if ((unitCode != null) && (!"".equals(unitCode))) {////看到这里,就知道注入有了 sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'"; } if ((detpNo != null) && (!"".equals(detpNo))) { sql = sql + " and SG00='" + detpNo + "'"; } if ((startDate != null) && (!"".equals(startDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')&gt;=substr('" + startDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)&gt;=Convert(varchar(10),'" + startDate + "',120) "; } } if ((endDate != null) && (!"".equals(endDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')&lt;=substr('" + endDate + "',0,10) "; } else { sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)&lt;=Convert(varchar(10),'" + endDate + "',120) "; } } if ((key != null) && (!"".equals(key))) { sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')"; } sql = sql + " order by SG02,BUY_DATE"; return this.dao.getDataTable(sql, 1, 2147483647); }

实例演示: 1. FE协作办公平台 5.5.2 http://oa.hzuf.com:9090/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/12223011589c85897d0b62bbae856bfa496ccac7.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

  1. FE协作办公平台 5.5 http://oa.peizheng.net.cn/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/1222280977418c1dff50297611d19eadd9acea7f.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

第五处: /assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01 源码分析:

&lt;% User user = (User) ResourceManage.getSession("User"); String unitCode=request.getParameter("unitCode"); String deptCode=request.getParameter("deptCode"); String startDate=request.getParameter("startDate"); String endDate=request.getParameter("endDate"); if(unitCode==null || "".equals(unitCode)){ unitCode=user.getUnitId().toString(); } if(deptCode==null || "".equals(deptCode)){ deptCode=HtmlFormat.format(""); } if(startDate==null || "".equals(startDate)){ startDate=HtmlFormat.format(""); } if(endDate==null || "".equals(endDate)){ endDate=HtmlFormat.format(new Date()); } FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far"); DataTable dt=far.getAssetsTestList(deptCode,startDate,endDate,unitCode);//参数未过滤带入方法getAssetsTestList中 %&gt;

跟踪到getAssetsTestList方法体:

public DataTable getAssetsTestList(String detpNo, String startDate, String endDate, String unitCode) { String sql = ""; if (1 == this.dao.getDataBaseType()) { sql = "select DEFASSETS1,DEFASSETS2,DEFASSETS3,DEFASSETS4,DEFASSETS5,ID,SG02,SU02,ASSETS_NO,QUANTITY,ASSETS_NAME,NORM_MODEL,LOCATION,to_char(BUY_DATE,'yyyy-MM-dd')as BUY_DATE,MANUFACTURER,TEST_CYCLE,TEST_UNIT,to_char(LAST_DATE,'yyyy-MM-dd') LAST_DATE,to_char(NEXT_DATE,'yyyy-MM-dd') NEXT_DATE from " + this.dao.getTableName("ASSETS_HUB") + ",SYS_GROUP,SYS_USERS " + " where USE_DEPT=SG00 and USE_USER=SU00 and TEST_TYPE='1' and ASSETS_STATUS&lt;4 "; } else { sql = "select DEFASSETS1,DEFASSETS2,DEFASSETS3,DEFASSETS4,DEFASSETS5,ID,SG02,SU02,ASSETS_NO,QUANTITY,ASSETS_NAME,NORM_MODEL,LOCATION,Convert(VarChar(10),BUY_DATE,120) BUY_DATE,MANUFACTURER,TEST_CYCLE,TEST_UNIT,Convert(VarChar(10),LAST_DATE,120) LAST_DATE,Convert(VarChar(10),NEXT_DATE,120) NEXT_DATE from " + this.dao.getTableName("ASSETS_HUB") + ",SYS_GROUP,SYS_USERS " + " where USE_DEPT=SG00 and USE_USER=SU00 and TEST_TYPE='1' and ASSETS_STATUS&lt;4 "; } if ((unitCode != null) && (!"".equals(unitCode))) {//类似的判断,不多说了 sql = sql + " and UNITCODE='" + getUnitCode(unitCode) + "'"; } if ((detpNo != null) && (!"".equals(detpNo))) { sql = sql + " and SG00='" + detpNo + "'"; } if ((startDate != null) && (!"".equals(startDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(NEXT_DATE,'yyyy-MM-dd')&lt;='" + startDate + "' "; } else { sql = sql + " and Convert(varchar(10),NEXT_DATE,120)&lt;=Convert(varchar(10),'" + startDate + "',120) "; } } if ((endDate != null) && (!"".equals(endDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(NEXT_DATE,'yyyy-MM-dd')&lt;='" + endDate + "' "; } else { sql = sql + " and Convert(varchar(10),NEXT_DATE,120)&lt;=Convert(varchar(10),'" + endDate + "',120) "; } } sql = sql + " order by SG02,NEXT_DATE asc"; System.out.println("===============" + sql); return this.dao.getDataTable(sql, 1, 2147483647); }

实例证明: 1. FE协作办公平台 5.5.2 http://oa.hzuf.com:9090/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/1222304969c6306b0852b39a645b88bee9e86d6c.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

  1. FE协作办公平台 5.5 http://oa.peizheng.net.cn/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/12223139a865b017a297fa2d930ad1b676ea270b.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

第六处: /assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01 源码分析:

&lt;% User user = (User) ResourceManage.getSession("User"); String unitCode=request.getParameter("unitCode"); String deptCode=request.getParameter("deptCode"); String startDate=request.getParameter("startDate"); String endDate=request.getParameter("endDate"); if(unitCode==null || "".equals(unitCode)){ unitCode=user.getUnitId().toString(); } if(deptCode==null || "".equals(deptCode)){ deptCode=HtmlFormat.format(""); } if(startDate==null || "".equals(startDate)){ startDate=HtmlFormat.format(""); } if(endDate==null || "".equals(endDate)){ endDate=HtmlFormat.format(new Date()); } FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far"); DataTable dt=far.getAssetsTest(deptCode,startDate,endDate,unitCode);//参数带入getAssetsTest方法 %&gt;

跟踪到getAssetsTest方法体:

public DataTable getAssetsTest(String detpNo, String startDate, String endDate, String unitCode) { String sql = ""; if (1 == this.dao.getDataBaseType()) { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE,s.NORM_MODEL,s.MANUFACTURER,s.TEST_UNIT,s.CERTIFI_NO,s.TEST_PRICE,to_char(s.NEXT_DATE,'yyyy-MM-dd')as NEXT_DATE,s.TEST_RESULT from " + this.dao.getTableName("ASSETS_TEST") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'"; } else { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE,s.NORM_MODEL,s.MANUFACTURER,s.TEST_UNIT,s.CERTIFI_NO,s.TEST_PRICE,Convert(VarChar(10),s.NEXT_DATE,120) NEXT_DATE,s.TEST_RESULT from " + this.dao.getTableName("ASSETS_TEST") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'"; } if ((unitCode != null) && (!"".equals(unitCode))) {//判断一模一样,同一人写的吧 sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'"; } if ((detpNo != null) && (!"".equals(detpNo))) { sql = sql + " and g.SG00='" + detpNo + "'"; } if ((startDate != null) && (!"".equals(startDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')&gt;='" + startDate + "' "; } else { sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)&gt;=Convert(varchar(10),'" + startDate + "',120) "; } } if ((endDate != null) && (!"".equals(endDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')&lt;='" + endDate + "' "; } else { sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)&lt;=Convert(varchar(10),'" + endDate + "',120) "; } } return this.dao.getDataTable(sql, 1, 2147483647); }

实例演示,换两站演示: 1. FE协作办公平台 5.5.2 http://gzwnq.88ip.cn:9090/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/122240004b83675f12c6ac080fcdc30b8bc4a902.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

2. http://oa.suncorps.cn/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/12223926021d625e74bad3e7aeada4d65e8cf8c7.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

第七处: /assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01 源码分析:

&lt;% User user = (User) ResourceManage.getSession("User"); String unitCode=request.getParameter("unitCode"); String deptCode=request.getParameter("deptCode"); String startDate=request.getParameter("startDate"); String endDate=request.getParameter("endDate"); if(unitCode==null || "".equals(unitCode)){ unitCode=user.getUnitId().toString(); } if(deptCode==null || "".equals(deptCode)){ deptCode=HtmlFormat.format(""); } if(startDate==null || "".equals(startDate)){ startDate=HtmlFormat.format(""); } if(endDate==null || "".equals(endDate)){ endDate=HtmlFormat.format(new Date()); } FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far"); DataTable dt=far.getAssetsService(deptCode,startDate,endDate,unitCode);//参数带入getAssetsService方法 %&gt;

跟踪到getAssetsService方法体:

public DataTable getAssetsService(String detpNo, String startDate, String endDate, String unitCode) { String sql = ""; if (1 == this.dao.getDataBaseType()) { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE,s.NORM_MODEL,s.ASSETS_VALUE,s.MANUFACTURER,s.SERVICE_UNIT,s.SERVICE_PRICE,s.SERVICE_TEL,s.SERVICE_RESULT from " + this.dao.getTableName("ASSETS_SERVICE") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'"; } else { sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE,s.NORM_MODEL,s.ASSETS_VALUE,s.MANUFACTURER,s.SERVICE_UNIT,s.SERVICE_PRICE,s.SERVICE_TEL,s.SERVICE_RESULT from " + this.dao.getTableName("ASSETS_SERVICE") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'"; } if ((unitCode != null) && (!"".equals(unitCode))) {//又是这样的判断。。 sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'"; } if ((detpNo != null) && (!"".equals(detpNo))) { sql = sql + " and g.SG00='" + detpNo + "'"; } if ((startDate != null) && (!"".equals(startDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')&gt;='" + startDate + "' "; } else { sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)&gt;=Convert(varchar(10),'" + startDate + "',120) "; } } if ((endDate != null) && (!"".equals(endDate))) { if (1 == this.dao.getDataBaseType()) { sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')&lt;='" + endDate + "' "; } else { sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)&lt;=Convert(varchar(10),'" + endDate + "',120) "; } } return this.dao.getDataTable(sql, 1, 2147483647); }

实例演示: 1. FE协作办公平台 5.5.2 http://oa.suncorps.cn/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/122245080285e281bfb72ac67a54b9cad86ef359.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

2. http://gzwnq.88ip.cn:9090/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

<img src="https://images.seebug.org/upload/201408/1222460915d31fc508a7ed23e2d347a50bbd55c5.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">