### 简要描述:
用友协作办公平台某目录下存在多个通杀SQL注入,影响众多系统..
Tips:几乎全部以最高权限运行(nt authority\system).Ma Ya..
### 详细说明:
#1 漏洞文件
该系统的/sysform/目录下的多个文件存在SQL注入
存在漏洞的的文件为(检查下,应该不止列出来的这些)
```
/sysform/003/editflow_manager.jsp?option=2&GUID=1111
/sysform/003/share_select.jsp?type=2&fid=111
/sysform/004/addPlugin.jsp?ContainerId=111&flag=1
/sysform/017/cardContent.jsp
/sysform/994/464-1.jsp?oldtypeCur=11&SYS_CODE_KEY=1
```
选择其中两个,贴下源代码
/sysform/003/editflow_manager.jsp
```
<%@page import="fe.dao.FieldSet"%>
<%@page import="fe.dao.DataTable"%>
<%@page import="fe.util.StringUtil"%>
<%@page import="fe.dao.Dao"%>
<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
<%@page import="fe.res.ResourceManage"%>
<%@page import="fe.workflow.cooperation.CflowworkService"%>
<%
//Zero.lu 2012/08/03 修复已发协同/已发事项中,点击查看协同,加签后页面显示空白的BUG. 将原来的SUBMIT方式改为AJAX调用,并将删除节点从WF_INFOR表删除 begin
String option = request.getParameter("option");
if ("1".equals(option)) {
CflowworkService service = (CflowworkService)ResourceManage.getContext("cflowworkService");
String inforId = request.getParameter("inforId");
service.editFlow(inforId);
} else if ("2".equals(option)) {
String GUID = request.getParameter("GUID");//获取参数GUID
Dao dao = (Dao)ResourceManage.getContext("basicDao");
//String sql = "select WI13 from " + dao.getTableName("WF_INFOR") + " where WI62=?";
String sql = "select WI13 from " + dao.getTableName("WF_INFOR") + " where WI62='"+ GUID +"'";//带入了SQL查询
String procType = dao.getStringData(sql);
out.print(procType);
}
%>
```
/sysform/003/share_select.jsp
```
<%
String type=request.getParameter("type");
if("2".equals(type)){
String fid=request.getParameter("fid");//接收参数
Dao dao=(Dao)ResourceManage.getContext("dao");
String userId=dao.getStringData("SELECT COL_MDL_USERID FROM SYS_COLLABORATIVE_MOUDLE WHERE ID="+fid);//带入了SQL语句
User user=(User)ResourceManage.getRequest().getSession().getAttribute("User");
String userID="";
if(user!=null)userID=user.getUserID();
if(!userID.equals(userId))
out.print("<script>alert(\"该模板不允许被共享\");window.close();</script>");
}
%>
```
由于漏洞的形成比较简单,就不多说,下面直接漏洞测试.
#2 采用sqlmap进行测试
由于网上有大量的实例,任意选取两个案例进行测试验证..
下面测试一
```
http://oa.kaili.net.cn:9090//sysform/003/editflow_manager.jsp?option=2&GUID=1111
```
[<img src="https://images.seebug.org/upload/201405/15174432bea359719030b622bb4312c87b610829.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/15174432bea359719030b622bb4312c87b610829.jpg)
效果如图所示
[<img src="https://images.seebug.org/upload/201405/1517455030507dfc87d12a5493a0d9eeefcf6b50.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1517455030507dfc87d12a5493a0d9eeefcf6b50.jpg)
### 漏洞证明:
接下来测试二
```
http://oa.bnuz.edu.cn:8080/sysform/003/editflow_manager.jsp?option=2&GUID=1111
```
[<img src="https://images.seebug.org/upload/201405/15174735db43e0931578f6a0ab565bf43d29eaff.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/15174735db43e0931578f6a0ab565bf43d29eaff.jpg)
效果如图所示
[<img src="https://images.seebug.org/upload/201405/15174904193bef06bdb48be7388c0c5a0ccd288a.jpg" alt="22.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/15174904193bef06bdb48be7388c0c5a0ccd288a.jpg)
#3跑出的数据
[<img src="https://images.seebug.org/upload/201405/151750029d909a86c07a9973fb483fac57f6b032.jpg" alt="33.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/151750029d909a86c07a9973fb483fac57f6b032.jpg)
均是以最高权限运行的 nt authority\system
[<img src="https://images.seebug.org/upload/201405/151751349c59f5a1cd09b9ccb494508cc98f453d.jpg" alt="44.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/151751349c59f5a1cd09b9ccb494508cc98f453d.jpg)
京公网安备 11010502034610号
暂无评论