VULHUB ™

### 简要描述： 用友协作办公平台再次通杀SQL注入 由于绝大部分系统采用的是MSSQL,权限非常大，返回的shell 不是system 就是administrator ### 详细说明： #1 漏洞文件 /witapprovemanage/appraupNew.jsp 漏洞代码如下 ``` <% Dao dao = (Dao)ResourceManage.getContext("dao"); String master_key = ""; FieldSet fswm = null; String tablenameStr = ""; if(request.getParameter("flowid")!=null){ master_key = request.getParameter("flowid");//接收flowid参数 fswm= dao.getFieldSetByFilter(dao.getTableName("WF_MODEL")," WM00= '" + master_key + "'"); tablenameStr = fswm.getString("WM04"); } String resid = ""; if(request.getParameter("resid")!=null){ resid = request.getParameter("resid"); } //根据resid来查询出资源的信息. FieldSet resourceSet = null; String resType = ""; resourceSet= dao.getFieldSetByFilter(dao.getTableName("APPRV_RESOURCE")," ID= '" + resid + "'"); resType = resourceSet.getString("TYPE"); String restype = ""; if(request.getParameter("restype")!=null){ restype = request.getParameter("restype"); } String nodeid = ""; if(request.getParameter("nodeid")!=null){ nodeid =...

### 简要描述： 用友协作办公平台再次通杀SQL注入 由于绝大部分系统采用的是MSSQL,权限非常大，返回的shell 不是system 就是administrator ### 详细说明： #1 漏洞文件 /witapprovemanage/appraupNew.jsp 漏洞代码如下 ``` <% Dao dao = (Dao)ResourceManage.getContext("dao"); String master_key = ""; FieldSet fswm = null; String tablenameStr = ""; if(request.getParameter("flowid")!=null){ master_key = request.getParameter("flowid");//接收flowid参数 fswm= dao.getFieldSetByFilter(dao.getTableName("WF_MODEL")," WM00= '" + master_key + "'"); tablenameStr = fswm.getString("WM04"); } String resid = ""; if(request.getParameter("resid")!=null){ resid = request.getParameter("resid"); } //根据resid来查询出资源的信息. FieldSet resourceSet = null; String resType = ""; resourceSet= dao.getFieldSetByFilter(dao.getTableName("APPRV_RESOURCE")," ID= '" + resid + "'"); resType = resourceSet.getString("TYPE"); String restype = ""; if(request.getParameter("restype")!=null){ restype = request.getParameter("restype"); } String nodeid = ""; if(request.getParameter("nodeid")!=null){ nodeid = request.getParameter("nodeid"); } WitCollocate wit = (WitCollocate)ResourceManage.getContext("witCollocate"); //FieldSet fs = wit.getApprvFlowById("1"); FieldSet fs = null; String id = ""; DataTable fstable = null; //当为节点配置 if(restype.equals("2")){ fstable = dao.getDataTable("select * from "+dao.getTableName("apprv_flow") + " where flowid=" + master_key + " and resid=" + resid,1,Integer.MAX_VALUE); //这里带入了SQL查询 ``` 由此可见，flowid参数未经过任何过滤，进入SQL语句而导致SQL注入漏洞 ### 漏洞证明： #2 采用sqlmap进行测试 由于网上有大量的实例，同样任意选取两个案例进行测试验证.. 案例一： ``` http://oa.xhlbdc.com//witapprovemanage/appraupNew.jsp?flowid=1&resid=2&restype=3&nodeid=4 ``` [<img src="https://images.seebug.org/upload/201405/162114370f3c2162b54664c69d423d6056591448.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/162114370f3c2162b54664c69d423d6056591448.jpg) 效果如图所示 [<img src="https://images.seebug.org/upload/201405/162117162b3ccad2bb41eca3ef228fd9feba1a3e.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/162117162b3ccad2bb41eca3ef228fd9feba1a3e.jpg) 案例二： ``` http://218.205.208.22:9090//witapprovemanage/appraupNew.jsp?flowid=1&resid=2&restype=3&nodeid=4 ``` [<img src="https://images.seebug.org/upload/201405/162119498bfdca1a0bb7461e5d937e52ced4d050.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/162119498bfdca1a0bb7461e5d937e52ced4d050.jpg) 效果如下图所示 [<img src="https://images.seebug.org/upload/201405/16213943e71464745b78588f6afae1dafd06fdae.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16213943e71464745b78588f6afae1dafd06fdae.jpg) #3 权限测试 权限都很高，可以直接添加管理账号 ``` win-fo48a1najvj\administrator ``` [<img src="https://images.seebug.org/upload/201405/16213802dd52fffa6c46c0305656ab6e46d6e4bc.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16213802dd52fffa6c46c0305656ab6e46d6e4bc.jpg)