用友软件协作办公平台多处漏洞（SQL注入漏洞、越权查看敏感信息）

### 简要描述： RT ### 详细说明： 谷歌关键字： intitle:"fe协作" 注入点： witapprovemanage\report\staffleaveana.jsp?userid=* ``` <%@ page contentType="text/html; charset=GBK" language="java" errorPage="" %> <jsp:directive.page import="fe.sys.User"/> <jsp:directive.page import="fe.res.ResourceManage"/> <jsp:directive.page import="fe.util.HtmlFormat"/> <jsp:directive.page import="fe.dao.DataTable"/> <jsp:directive.page import="fe.dao.FieldSet"/> <jsp:directive.page import="java.util.Date"/> <jsp:directive.page import="java.util.Map"/> <jsp:directive.page import="fe.datapool.DataPool"/> <jsp:directive.page import="fe.witmanage.service.WitResource"/> <%@ taglib uri='/WEB-INF/tags/fe.tld' prefix='f'%> <% String userid = request.getParameter("userid");//未过滤 Map mapStat= null; if (!(userid == null || "".equals(userid))){ WitResource witResource=(WitResource)ResourceManage.getContext("witResource"); mapStat = witResource.analysisStaffLeave(userid);//带入查询 } %> ``` ### 漏洞证明： #1.http://220.168.210.109:9090/witapprovemanage/report/staffleaveana.jsp?userid=1 [<img src="https://images.seebug.org/upload/201408/1311201757f0e43b3bbe9f12adb2e30a9c569972.jpg" alt="ys.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/1311201757f0e43b3bbe9f12adb2e30a9c569972.jpg) #2.http://fsd2014.f3322.org:9090/witapprovemanage/report/staffleaveana.jsp?userid=* [<img src="https://images.seebug.org/upload/201408/1311335545e1b76638f25af6077682b76878e3fe.jpg" alt="ys.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/1311335545e1b76638f25af6077682b76878e3fe.jpg) #3.http://119.145.194.122:9090/witapprovemanage/report/staffleaveana.jsp?userid=1 [<img src="https://images.seebug.org/upload/201408/131134263bcee0977c12d70e3e29c695227e8237.jpg" alt="ys.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/131134263bcee0977c12d70e3e29c695227e8237.jpg) 越权查看敏感信息： 1.http://220.168.210.109:9090/security/addUser.jsp groupId参数是存在注入（未修复） ``` <% String groupId=request.getParameter("groupId"); Dao dao=(Dao)ResourceManage.getContext("basicDao"); SqlUtil sqlUtil=(SqlUtil)ResourceManage.getContext("sqlUtil"); ``` [<img src="https://images.seebug.org/upload/201408/13113103cc5edbcf30e51f082b802e86d0b6310b.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13113103cc5edbcf30e51f082b802e86d0b6310b.jpg) 2.http://220.168.210.109:9090/security/addRole.jsp dept存在注入（未修复） ``` String dept=StringUtil.ISOToGBK(request.getParameter("dept")); Dao dao=(Dao)ResourceManage.getContext("basicDao"); ``` [<img src="https://images.seebug.org/upload/201408/13113244e67e8c64a470ecd7a87e5cd90861925c.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13113244e67e8c64a470ecd7a87e5cd90861925c.jpg) 3.http://119.145.194.122:9090/witapprovemanage/report/staffleaveana.jsp?userid=1 [<img src="https://images.seebug.org/upload/201408/13113320e922c38eb1efb41143ee3836e7d22f81.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13113320e922c38eb1efb41143ee3836e7d22f81.jpg)