记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

用友协作办公平台通用多处SQL注入

2014-11-08 18:15

开发公司:用友软件

程序名称:FE协作办公平台

漏洞类型:SQL注入(GET)

漏洞文件:assetsGroupReport目录下多文件存在注入

code 区域
/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01



漏洞参数:unitCode

是否需要登录:否

关键字:intitle:FE协作办公平台

涉及版本:5.5.2/5.5版本



第一处:

/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

源码分析一下:

code 区域
<%

User user = (User) ResourceManage.getSession("User");



String unitCode=request.getParameter("unitCode");

String cVenCode=request.getParameter("cVenCode");

String startDate=request.getParameter("startDate");

String endDate=request.getParameter("endDate");



if(unitCode==null || "".equals(unitCode)){

unitCode=user.getUnitId().toString();

}

if(cVenCode==null || "".equals(cVenCode)){

cVenCode=HtmlFormat.format("");

}

if(startDate==null || "".equals(startDate)){

startDate=HtmlFormat.format("");

}

if(endDate==null || "".equals(endDate)){

endDate=HtmlFormat.format(new Date());

}

FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");

DataTable dt=far.getVendorContacts(cVenCode,startDate,endDate,unitCode);//参数带入getVendorContacts方法,未过滤

%>



跟踪到getVendorContacts

code 区域
public DataTable getVendorContacts(String vCode, String startDate, String endDate, String unitCode)

{

String sql = "";

if (1 == this.dao.getDataBaseType()) {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,v.VENDOR_NAME,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(h.BUY_DATE,'yyyy-MM-dd') BUY_DATE from " +

this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t," + this.dao.getTableName("VENDOR_INFO") + " v " +

" where t.TYPE_CODE=h.ASSETS_TYPE and v.VENDOR_CODE=h.VENDOR_NAME and h.FIXED_TYPE='1' ";

}

else {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,v.VENDOR_NAME,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE from " +

this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t," + this.dao.getTableName("VENDOR_INFO") + " v " +

" where t.TYPE_CODE=h.ASSETS_TYPE and v.VENDOR_CODE=h.VENDOR_NAME and h.FIXED_TYPE='1' ";

}

if ((unitCode != null) && (!"".equals(unitCode))) {//参数只判断是否为null,就带入SQL语句了,注入产生

sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'";

}

if ((vCode != null) && (!"".equals(vCode))) {

sql = sql + " and v.VENDOR_CODE='" + vCode + "'";

}

if ((startDate != null) && (!"".equals(startDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";

}

}

if ((endDate != null) && (!"".equals(endDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";

}

}

return this.dao.getDataTable(sql, 1, 2147483647);

}



实例演示:

1. FE协作办公平台 5.5.2

http://oa.hzuf.com:9090//assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





2. FE协作办公平台 5.5

http://oa.peizheng.net.cn/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





第二处:

/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

代码分析:

code 区域
<%

User user = (User) ResourceManage.getSession("User");



String unitCode=request.getParameter("unitCode");

String deptCode=request.getParameter("deptCode");

String startDate=request.getParameter("startDate");

String endDate=request.getParameter("endDate");

String key=request.getParameter("key");



if(unitCode==null || "".equals(unitCode)){

unitCode=user.getUnitId().toString();

}

if(deptCode==null || "".equals(deptCode)){

deptCode=HtmlFormat.format("");

}

if(key==null || "".equals(key)){

key=HtmlFormat.format("");

}

if(startDate==null || "".equals(startDate)){

startDate=HtmlFormat.format("");

}

if(endDate==null || "".equals(endDate)){

endDate=HtmlFormat.format(new Date());

}

FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");

DataTable dt=far.getNoFixedAssetsList(deptCode,startDate,endDate,key,unitCode);//这里参数带入了getNoFixedAssetsList方法,之前未作过滤处理

%>





跟踪到getNoFixedAssetsList方法体:

code 区域
public DataTable getNoFixedAssetsList(String detpNo, String startDate, String endDate, String key, String unitCode)

{

String sql = "";

if (1 == this.dao.getDataBaseType()) {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(h.BUY_DATE,'yyyy-MM-dd') BUY_DATE,SU02,h.LOCATION from " +

this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " +

" where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='0' and h.ASSETS_STATUS<4 ";

}

else {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE,SU02,h.LOCATION from " +

this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " +

" where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='0' and h.ASSETS_STATUS<4 ";

}

if ((unitCode != null) && (!"".equals(unitCode))) {//这里只是判断是否为null,就带入SQL语句了,导致注入

sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'";

}

if ((detpNo != null) && (!"".equals(detpNo))) {

sql = sql + " and SG00='" + detpNo + "'";

}

if ((startDate != null) && (!"".equals(startDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";

}

}

if ((endDate != null) && (!"".equals(endDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";

}

}

if ((key != null) && (!"".equals(key))) {

sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')";

}

sql = sql + " order by SG02,BUY_DATE";

return this.dao.getDataTable(sql, 1, 2147483647);

}





实例演示;

1. FE协作办公平台 5.5.2

http://oa.hzuf.com:9090/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg



文件参数有区别,只能这样证明不同文件了



2. FE协作办公平台 5.5

http://oa.peizheng.net.cn/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





第三处:

/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

代码分析:

code 区域
<%

User user = (User) ResourceManage.getSession("User");



String unitCode=request.getParameter("unitCode");

String deptCode=request.getParameter("deptCode");

String startDate=request.getParameter("startDate");

String endDate=request.getParameter("endDate");

String key=request.getParameter("key");



if(unitCode==null || "".equals(unitCode)){

unitCode=user.getUnitId().toString();

}

if(deptCode==null || "".equals(deptCode)){

deptCode=HtmlFormat.format("");

}

if(key==null || "".equals(key)){

key=HtmlFormat.format("");

}

if(startDate==null || "".equals(startDate)){

startDate=HtmlFormat.format("");

}

if(endDate==null || "".equals(endDate)){

endDate=HtmlFormat.format(new Date());

}

FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");

DataTable dt=far.getAssetsScrapList(deptCode,startDate,endDate,key,unitCode);//参数未过滤带入getAssetsScrapList方法

%>



跟踪到getAssetsScrapList方法体:

code 区域
public DataTable getAssetsScrapList(String detpNo, String startDate, String endDate, String key, String unitCode)

{

String sql = "";

if (1 == this.dao.getDataBaseType()) {

sql = "select h.ID,SG02,SU02,h.ASSETS_NAME,s.TYPE,(CASE WHEN s.ASSETS_TYPE=1 THEN '是固定资产' ELSE '非固定资产' END)as ASSETS_TYPE,s.ASSETS_NO,s.NORM_MODEL,s.MANUFACTURER,s.BUY_DATE,s.USE_DATE,s.USE_YEAR,s.ASSETS_VALUE,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE from " +

this.dao.getTableName("ASSETS_SCRAP") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP,SYS_USERS " +

" where s.ASSETS_ID=h.ID and s.APPLY_DEPT=SG00 and h.USE_USER=SU00 and s.STATUS=2 ";

}

else {

sql = "select h.ID,SG02,SU02,h.ASSETS_NAME,s.TYPE,(CASE WHEN s.ASSETS_TYPE=1 THEN '是固定资产' ELSE '非固定资产' END)as ASSETS_TYPE,s.ASSETS_NO,s.NORM_MODEL,s.MANUFACTURER,s.BUY_DATE,s.USE_DATE,s.USE_YEAR,s.ASSETS_VALUE,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE from " +

this.dao.getTableName("ASSETS_SCRAP") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP,SYS_USERS " +

" where s.ASSETS_ID=h.ID and s.APPLY_DEPT=SG00 and h.USE_USER=SU00 and s.STATUS=2 ";

}

if ((unitCode != null) && (!"".equals(unitCode))) { //这里通用只是判断是否为null,就带入SQL语句拼接了,注入产生

sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'";

}

if ((detpNo != null) && (!"".equals(detpNo))) {

sql = sql + " and SG00='" + detpNo + "'";

}

if ((startDate != null) && (!"".equals(startDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";

}

}

if ((endDate != null) && (!"".equals(endDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";

}

}

if ((key != null) && (!"".equals(key))) {

sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')";

}

sql = sql + " order by SG00,APPLY_DATE";

return this.dao.getDataTable(sql, 1, 2147483647);

}

}



实例演示:

1. FE协作办公平台 5.5.2

http://oa.hzuf.com:9090/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg



2. FE协作办公平台 5.5

http://oa.peizheng.net.cn/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





第四处:

/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

源码分析:

code 区域
<%

User user = (User) ResourceManage.getSession("User");



String unitCode=request.getParameter("unitCode");

String deptCode=request.getParameter("deptCode");

String startDate=request.getParameter("startDate");

String endDate=request.getParameter("endDate");

String key=request.getParameter("key");



if(unitCode==null || "".equals(unitCode)){

unitCode=user.getUnitId().toString();

}

if(deptCode==null || "".equals(deptCode)){

deptCode=HtmlFormat.format("");

}

if(key==null || "".equals(key)){

key=HtmlFormat.format("");

}

if(startDate==null || "".equals(startDate)){

startDate=HtmlFormat.format("");

}

if(endDate==null || "".equals(endDate)){

endDate=HtmlFormat.format(new Date());

}

FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");

DataTable dt=far.getFixedAssetsList(deptCode,startDate,endDate,key,unitCode);//参数直接带入getFixedAssetsList方法

%>



跟踪到getFixedAssetsList方法体:

code 区域
public DataTable getFixedAssetsList(String detpNo, String startDate, String endDate, String key, String unitCode)

{

String sql = "";

if (1 == this.dao.getDataBaseType()) {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(BUY_DATE,'yyyy-MM-dd') BUY_DATE,SU02,h.LOCATION from " +

this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " +

" where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='1' and h.ASSETS_STATUS<4 ";

}

else {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE,SU02,h.LOCATION from " +

this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " +

" where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='1' and h.ASSETS_STATUS<4 ";

}

if ((unitCode != null) && (!"".equals(unitCode))) {////看到这里,就知道注入有了

sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'";

}

if ((detpNo != null) && (!"".equals(detpNo))) {

sql = sql + " and SG00='" + detpNo + "'";

}

if ((startDate != null) && (!"".equals(startDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";

}

}

if ((endDate != null) && (!"".equals(endDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";

}

else {

sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";

}

}

if ((key != null) && (!"".equals(key))) {

sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')";

}

sql = sql + " order by SG02,BUY_DATE";



return this.dao.getDataTable(sql, 1, 2147483647);

}



实例演示:

1. FE协作办公平台 5.5.2

http://oa.hzuf.com:9090/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





2. FE协作办公平台 5.5

http://oa.peizheng.net.cn/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg

漏洞证明:

第五处:

/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

源码分析:

code 区域
<%

User user = (User) ResourceManage.getSession("User");



String unitCode=request.getParameter("unitCode");

String deptCode=request.getParameter("deptCode");

String startDate=request.getParameter("startDate");

String endDate=request.getParameter("endDate");



if(unitCode==null || "".equals(unitCode)){

unitCode=user.getUnitId().toString();

}

if(deptCode==null || "".equals(deptCode)){

deptCode=HtmlFormat.format("");

}

if(startDate==null || "".equals(startDate)){

startDate=HtmlFormat.format("");

}

if(endDate==null || "".equals(endDate)){

endDate=HtmlFormat.format(new Date());

}

FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");

DataTable dt=far.getAssetsTestList(deptCode,startDate,endDate,unitCode);//参数未过滤带入方法getAssetsTestList中

%>



跟踪到getAssetsTestList方法体:

code 区域
public DataTable getAssetsTestList(String detpNo, String startDate, String endDate, String unitCode)

{

String sql = "";

if (1 == this.dao.getDataBaseType()) {

sql = "select DEFASSETS1,DEFASSETS2,DEFASSETS3,DEFASSETS4,DEFASSETS5,ID,SG02,SU02,ASSETS_NO,QUANTITY,ASSETS_NAME,NORM_MODEL,LOCATION,to_char(BUY_DATE,'yyyy-MM-dd')as BUY_DATE,MANUFACTURER,TEST_CYCLE,TEST_UNIT,to_char(LAST_DATE,'yyyy-MM-dd') LAST_DATE,to_char(NEXT_DATE,'yyyy-MM-dd') NEXT_DATE from " +

this.dao.getTableName("ASSETS_HUB") + ",SYS_GROUP,SYS_USERS " +

" where USE_DEPT=SG00 and USE_USER=SU00 and TEST_TYPE='1' and ASSETS_STATUS<4 ";

}

else {

sql = "select DEFASSETS1,DEFASSETS2,DEFASSETS3,DEFASSETS4,DEFASSETS5,ID,SG02,SU02,ASSETS_NO,QUANTITY,ASSETS_NAME,NORM_MODEL,LOCATION,Convert(VarChar(10),BUY_DATE,120) BUY_DATE,MANUFACTURER,TEST_CYCLE,TEST_UNIT,Convert(VarChar(10),LAST_DATE,120) LAST_DATE,Convert(VarChar(10),NEXT_DATE,120) NEXT_DATE from " +

this.dao.getTableName("ASSETS_HUB") + ",SYS_GROUP,SYS_USERS " +

" where USE_DEPT=SG00 and USE_USER=SU00 and TEST_TYPE='1' and ASSETS_STATUS<4 ";

}

if ((unitCode != null) && (!"".equals(unitCode))) {//类似的判断,不多说了

sql = sql + " and UNITCODE='" + getUnitCode(unitCode) + "'";

}

if ((detpNo != null) && (!"".equals(detpNo))) {

sql = sql + " and SG00='" + detpNo + "'";

}

if ((startDate != null) && (!"".equals(startDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(NEXT_DATE,'yyyy-MM-dd')<='" + startDate + "' ";

}

else {

sql = sql + " and Convert(varchar(10),NEXT_DATE,120)<=Convert(varchar(10),'" + startDate + "',120) ";

}

}

if ((endDate != null) && (!"".equals(endDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(NEXT_DATE,'yyyy-MM-dd')<='" + endDate + "' ";

}

else {

sql = sql + " and Convert(varchar(10),NEXT_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";

}

}

sql = sql + " order by SG02,NEXT_DATE asc";

System.out.println("===============" + sql);

return this.dao.getDataTable(sql, 1, 2147483647);

}



实例证明:

1. FE协作办公平台 5.5.2

http://oa.hzuf.com:9090/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg



2. FE协作办公平台 5.5

http://oa.peizheng.net.cn/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





第六处:

/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

源码分析:

code 区域
<%

User user = (User) ResourceManage.getSession("User");

String unitCode=request.getParameter("unitCode");

String deptCode=request.getParameter("deptCode");

String startDate=request.getParameter("startDate");

String endDate=request.getParameter("endDate");



if(unitCode==null || "".equals(unitCode)){

unitCode=user.getUnitId().toString();

}

if(deptCode==null || "".equals(deptCode)){

deptCode=HtmlFormat.format("");

}

if(startDate==null || "".equals(startDate)){

startDate=HtmlFormat.format("");

}

if(endDate==null || "".equals(endDate)){

endDate=HtmlFormat.format(new Date());

}

FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");

DataTable dt=far.getAssetsTest(deptCode,startDate,endDate,unitCode);//参数带入getAssetsTest方法

%>



跟踪到getAssetsTest方法体:

code 区域
public DataTable getAssetsTest(String detpNo, String startDate, String endDate, String unitCode)

{

String sql = "";

if (1 == this.dao.getDataBaseType()) {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE,s.NORM_MODEL,s.MANUFACTURER,s.TEST_UNIT,s.CERTIFI_NO,s.TEST_PRICE,to_char(s.NEXT_DATE,'yyyy-MM-dd')as NEXT_DATE,s.TEST_RESULT from " +

this.dao.getTableName("ASSETS_TEST") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " +

" where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";

}

else {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE,s.NORM_MODEL,s.MANUFACTURER,s.TEST_UNIT,s.CERTIFI_NO,s.TEST_PRICE,Convert(VarChar(10),s.NEXT_DATE,120) NEXT_DATE,s.TEST_RESULT from " +

this.dao.getTableName("ASSETS_TEST") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " +

" where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";

}

if ((unitCode != null) && (!"".equals(unitCode))) {//判断一模一样,同一人写的吧

sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'";

}

if ((detpNo != null) && (!"".equals(detpNo))) {

sql = sql + " and g.SG00='" + detpNo + "'";

}

if ((startDate != null) && (!"".equals(startDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')>='" + startDate + "' ";

}

else {

sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";

}

}

if ((endDate != null) && (!"".equals(endDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')<='" + endDate + "' ";

}

else {

sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";

}

}

return this.dao.getDataTable(sql, 1, 2147483647);

}



实例演示,换两站演示:

1. FE协作办公平台 5.5.2

http://gzwnq.88ip.cn:9090/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





2.

http://oa.suncorps.cn/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





第七处:

/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

源码分析:

code 区域
<%

User user = (User) ResourceManage.getSession("User");



String unitCode=request.getParameter("unitCode");

String deptCode=request.getParameter("deptCode");

String startDate=request.getParameter("startDate");

String endDate=request.getParameter("endDate");



if(unitCode==null || "".equals(unitCode)){

unitCode=user.getUnitId().toString();

}

if(deptCode==null || "".equals(deptCode)){

deptCode=HtmlFormat.format("");

}

if(startDate==null || "".equals(startDate)){

startDate=HtmlFormat.format("");

}

if(endDate==null || "".equals(endDate)){

endDate=HtmlFormat.format(new Date());

}

FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");

DataTable dt=far.getAssetsService(deptCode,startDate,endDate,unitCode);//参数带入getAssetsService方法

%>



跟踪到getAssetsService方法体:

code 区域
public DataTable getAssetsService(String detpNo, String startDate, String endDate, String unitCode)

{

String sql = "";

if (1 == this.dao.getDataBaseType()) {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE,s.NORM_MODEL,s.ASSETS_VALUE,s.MANUFACTURER,s.SERVICE_UNIT,s.SERVICE_PRICE,s.SERVICE_TEL,s.SERVICE_RESULT from " +

this.dao.getTableName("ASSETS_SERVICE") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " +

" where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";

}

else {

sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE,s.NORM_MODEL,s.ASSETS_VALUE,s.MANUFACTURER,s.SERVICE_UNIT,s.SERVICE_PRICE,s.SERVICE_TEL,s.SERVICE_RESULT from " +

this.dao.getTableName("ASSETS_SERVICE") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " +

" where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";

}

if ((unitCode != null) && (!"".equals(unitCode))) {//又是这样的判断。。

sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'";

}

if ((detpNo != null) && (!"".equals(detpNo))) {

sql = sql + " and g.SG00='" + detpNo + "'";

}

if ((startDate != null) && (!"".equals(startDate))) {

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')>='" + startDate + "' ";

}

else {

sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";

}

}

if ((endDate != null) && (!"".equals(endDate)))

{

if (1 == this.dao.getDataBaseType()) {

sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')<='" + endDate + "' ";

}

else {

sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";

}

}



return this.dao.getDataTable(sql, 1, 2147483647);

}



实例演示:

1. FE协作办公平台 5.5.2

http://oa.suncorps.cn/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg





2.

http://gzwnq.88ip.cn:9090/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

1.jpg







修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2014-072145

阅读:87616 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“用友协作办公平台通用多处SQL注入”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云