用友软件协作办公平台通用DBA权限SQL注入漏洞之二

2014-08-13T00:00:00
ID SSV:93348
Type seebug
Reporter Root
Modified 2014-08-13T00:00:00

Description

简要描述:

RT

详细说明:

谷歌关键字: intitle:"fe协作" 注入点: common\selectUDR.jsp?id=*

``` <% //String sIsModelWindow="0"; UserAnalyse userAnalyse=(UserAnalyse)ResourceManage.getContext("userAnalyse"); String saveValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("id")));//注入点 String isModel=HtmlFormat.format(request.getParameter("isModel")); String tagValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagValue"))); String tagShow=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagShow"))); String showValue=""; saveValue="null".equals(saveValue)?"":saveValue; //if("".equals(saveValue)){ //saveValue="null".equals(tagValue)?"":tagValue; //} Map map=null; if(!"".equals(saveValue)) map=userAnalyse.getAllUserName(saveValue); if(map!=null){ for(Iterator it=map.keySet().iterator();it.hasNext();){ String v=(String)it.next(); if(v!=null) showValue+=v+","; } if(!"".equals(showValue)){ showValue=showValue.substring(0,showValue.lastIndexOf(",")); } }
String promptStr=request.getParameter("code");

%> ```

漏洞证明:

1.http://119.145.194.122:9090/common/selectUDRTree.jsp?id=1*

<img src="https://images.seebug.org/upload/201408/13081952daf1df3ab14fd2954bc5097ababff33a.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

2.http://220.168.210.109:9090/common/selectUDR.jsp?id=1*

<img src="https://images.seebug.org/upload/201408/13083157d35bacab765169c8aec2e4116862e2ac.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">

3.http://fsd2014.f3322.org:9090/common/selectUDR.jsp?id=1* --dbms=mssql

<img src="https://images.seebug.org/upload/201408/130832099ea7640d7c6c9e51164042067704be6a.jpg" alt="yy.jpg" width="600" onerror="javascript:errimg(this);">