当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105038

漏洞标题:用友致远A6协同办公系统存在一处DBA权限SQL注入漏洞

相关厂商:seeyon.com

漏洞作者: 路人甲

提交时间:2015-04-01 10:19

修复时间:2015-07-05 10:21

公开时间:2015-07-05 10:21

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-01: 细节已通知厂商并且等待厂商处理中
2015-04-06: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-31: 细节向核心白帽子及相关领域专家公开
2015-06-10: 细节向普通白帽子公开
2015-06-20: 细节向实习白帽子公开
2015-07-05: 细节向公众公开

简要描述:

RT

详细说明:

漏洞位于:/yyoa/checkWaitdo.jsp文件中

<%
  uName = request.getParameter("userID");//接收参数
 // System.out.println(uName);
  if (uName != "null") {
    Connection con = ConnectionPoolBean.getConnection();
    //System.out.println("手动检查的结果中有问题的记录:");
    boolean l = false;
    try {
      uID = XiaoxsDbHelper.getInt(con, "select id from person where truename like  '%" + uName + "%'");//sql语句直接拼接,无任何处理
      uName = XiaoxsDbHelper.getString(con, "select truename from person where id=" + uID+" and isaway=0 and delflag=0 ");
     allrun=XiaoxsDbHelper.getInt(con,"select allrun from waitdoctrl where perid="+uID);
     for (int i = 1; i < 11; i++) {       
        if (i == 1){
          mtypeName = "协同";
         runName="docrun";
        }
        else if (i == 2){
          mtypeName = "收文";
          runName="govrec";
        }
        else if (i == 3){
          mtypeName = "发文";
          runName="govsend";
        }
        else if (i == 4){
          mtypeName = "事件";
          runName="rout";
        }
        else if (i == 5){
          mtypeName = "会议";
          runName="meet";
        }
        else if (i == 6){
          mtypeName = "待发送";
          runName="exsend";
        }
        else if (i == 7){
          mtypeName = "待签收";
          runName="exrec";
        }
		else if(i==8||i==9)
		 {
			continue;
		 }
		else if(i==10){
			 mtypeName = "签报";
             runName="furun1";
		}
		 l = checkDateIsRight(con, i, uID);
         run=XiaoxsDbHelper.getInt(con,"select "+runName+" from waitdoctrl where perid="+uID);
        // System.out.println("select "+runName+" from waitdoctrl where perid = "+uID);
%>


波及100+厂商,筛选其中25个案例:

http://115.238.97.83/yyoa/checkWaitdo.jsp?userID=1
http://218.25.24.214:8083/yyoa/checkWaitdo.jsp?userID=1
http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.shanghai-fanuc.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.zxdoa.cn/yyoa/checkWaitdo.jsp?userID=1
http://office.xce.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.juntongtongxin.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.hnca.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.bbmtoa.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.whvtc.net/yyoa/checkWaitdo.jsp?userID=1
http://www.fjlh.com.cn:8080/yyoa/checkWaitdo.jsp?userID=1
http://www.saptcom.net/yyoa/checkWaitdo.jsp?userID=1
http://oa.jstedu.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.ticom.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.sciae.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.zxdoa.cn/yyoa/checkWaitdo.jsp?userID=1
http://qudao.seeyon.com/yyoa/checkWaitdo.jsp?userID=1
http://www.brightoa.com/yyoa/checkWaitdo.jsp?userID=1
http://bg.aimin.gov.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.hnlt.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.yaoye.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.holpe.net/yyoa/checkWaitdo.jsp?userID=1
http://211.144.15.87:8080/yyoa/checkWaitdo.jsp?userID=1
http://www.baojiyijian.com:8080/yyoa/checkWaitdo.jsp?userID=1

漏洞证明:

http://115.238.97.83/yyoa/checkWaitdo.jsp?userID=1

1.png


http://oa.shanghai-fanuc.com.cn/yyoa/checkWaitdo.jsp?userID=1

2.png


http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1

3.png


http://218.25.24.214:8083/yyoa/checkWaitdo.jsp?userID=1

4.png


http://office.xce.com.cn/yyoa/checkWaitdo.jsp?userID=1

5.png

修复方案:

至少做个整形转换吧

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-05 10:21

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无