### 简要描述:
RT
### 详细说明:
漏洞位于:/yyoa/checkWaitdo.jsp文件中
```
<%
uName = request.getParameter("userID");//接收参数
// System.out.println(uName);
if (uName != "null") {
Connection con = ConnectionPoolBean.getConnection();
//System.out.println("手动检查的结果中有问题的记录:");
boolean l = false;
try {
uID = XiaoxsDbHelper.getInt(con, "select id from person where truename like '%" + uName + "%'");//sql语句直接拼接,无任何处理
uName = XiaoxsDbHelper.getString(con, "select truename from person where id=" + uID+" and isaway=0 and delflag=0 ");
allrun=XiaoxsDbHelper.getInt(con,"select allrun from waitdoctrl where perid="+uID);
for (int i = 1; i < 11; i++) {
if (i == 1){
mtypeName = "协同";
runName="docrun";
}
else if (i == 2){
mtypeName = "收文";
runName="govrec";
}
else if (i == 3){
mtypeName = "发文";
runName="govsend";
}
else if (i == 4){
mtypeName = "事件";
runName="rout";
}
else if (i == 5){
mtypeName = "会议";
runName="meet";
}
else if (i == 6){
mtypeName = "待发送";
runName="exsend";
}
else if (i == 7){
mtypeName = "待签收";
runName="exrec";
}
else if(i==8||i==9)
{
continue;
}
else if(i==10){
mtypeName = "签报";
runName="furun1";
}
l = checkDateIsRight(con, i, uID);
run=XiaoxsDbHelper.getInt(con,"select "+runName+" from waitdoctrl where perid="+uID);
// System.out.println("select "+runName+" from waitdoctrl where perid = "+uID);
%>
```
波及100+厂商,筛选其中25个案例:
```
http://115.238.97.83/yyoa/checkWaitdo.jsp?userID=1
http://218.25.24.214:8083/yyoa/checkWaitdo.jsp?userID=1
http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.shanghai-fanuc.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.zxdoa.cn/yyoa/checkWaitdo.jsp?userID=1
http://office.xce.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.juntongtongxin.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.hnca.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.bbmtoa.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.whvtc.net/yyoa/checkWaitdo.jsp?userID=1
http://www.fjlh.com.cn:8080/yyoa/checkWaitdo.jsp?userID=1
http://www.saptcom.net/yyoa/checkWaitdo.jsp?userID=1
http://oa.jstedu.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.ticom.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.sciae.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.zxdoa.cn/yyoa/checkWaitdo.jsp?userID=1
http://qudao.seeyon.com/yyoa/checkWaitdo.jsp?userID=1
http://www.brightoa.com/yyoa/checkWaitdo.jsp?userID=1
http://bg.aimin.gov.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.hnlt.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.yaoye.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.holpe.net/yyoa/checkWaitdo.jsp?userID=1
http://211.144.15.87:8080/yyoa/checkWaitdo.jsp?userID=1
http://www.baojiyijian.com:8080/yyoa/checkWaitdo.jsp?userID=1
```
### 漏洞证明:
http://115.238.97.83/yyoa/checkWaitdo.jsp?userID=1
[<img src="https://images.seebug.org/upload/201503/3118234238d62b67a758ab6557ae5685708ee067.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/3118234238d62b67a758ab6557ae5685708ee067.png)
http://oa.shanghai-fanuc.com.cn/yyoa/checkWaitdo.jsp?userID=1
[<img src="https://images.seebug.org/upload/201503/3118275410176955d2055ff38bbe05c821d54bfa.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/3118275410176955d2055ff38bbe05c821d54bfa.png)
http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1
[<img src="https://images.seebug.org/upload/201503/31182825a0f87029161b8d06e0918dcd407de169.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/31182825a0f87029161b8d06e0918dcd407de169.png)
http://218.25.24.214:8083/yyoa/checkWaitdo.jsp?userID=1
[<img src="https://images.seebug.org/upload/201503/31182918fa1b89780f7ce4cb4283ba54faed9bbc.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/31182918fa1b89780f7ce4cb4283ba54faed9bbc.png)
http://office.xce.com.cn/yyoa/checkWaitdo.jsp?userID=1
[<img src="https://images.seebug.org/upload/201503/31183224df292d2123766eff929ae5dd71bf4d80.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/31183224df292d2123766eff929ae5dd71bf4d80.png)
京公网安备 11010502034610号
暂无评论