当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105038

漏洞标题:用友致远A6协同办公系统存在一处DBA权限SQL注入漏洞

相关厂商:seeyon.com

漏洞作者: 路人甲

提交时间:2015-04-01 10:19

修复时间:2015-07-05 10:21

公开时间:2015-07-05 10:21

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-01: 细节已通知厂商并且等待厂商处理中
2015-04-06: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-31: 细节向核心白帽子及相关领域专家公开
2015-06-10: 细节向普通白帽子公开
2015-06-20: 细节向实习白帽子公开
2015-07-05: 细节向公众公开

简要描述:

RT

详细说明:

漏洞位于:/yyoa/checkWaitdo.jsp文件中

<%
uName = request.getParameter("userID");//接收参数
// System.out.println(uName);
if (uName != "null") {
Connection con = ConnectionPoolBean.getConnection();
//System.out.println("手动检查的结果中有问题的记录:");
boolean l = false;
try {
uID = XiaoxsDbHelper.getInt(con, "select id from person where truename like '%" + uName + "%'");//sql语句直接拼接,无任何处理
uName = XiaoxsDbHelper.getString(con, "select truename from person where id=" + uID+" and isaway=0 and delflag=0 ");
allrun=XiaoxsDbHelper.getInt(con,"select allrun from waitdoctrl where perid="+uID);
for (int i = 1; i < 11; i++) {
if (i == 1){
mtypeName = "协同";
runName="docrun";
}
else if (i == 2){
mtypeName = "收文";
runName="govrec";
}
else if (i == 3){
mtypeName = "发文";
runName="govsend";
}
else if (i == 4){
mtypeName = "事件";
runName="rout";
}
else if (i == 5){
mtypeName = "会议";
runName="meet";
}
else if (i == 6){
mtypeName = "待发送";
runName="exsend";
}
else if (i == 7){
mtypeName = "待签收";
runName="exrec";
}
else if(i==8||i==9)
{
continue;
}
else if(i==10){
mtypeName = "签报";
runName="furun1";
}
l = checkDateIsRight(con, i, uID);
run=XiaoxsDbHelper.getInt(con,"select "+runName+" from waitdoctrl where perid="+uID);
// System.out.println("select "+runName+" from waitdoctrl where perid = "+uID);
%>


波及100+厂商,筛选其中25个案例:

http://115.238.97.83/yyoa/checkWaitdo.jsp?userID=1
http://218.25.24.214:8083/yyoa/checkWaitdo.jsp?userID=1
http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.shanghai-fanuc.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.zxdoa.cn/yyoa/checkWaitdo.jsp?userID=1
http://office.xce.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.juntongtongxin.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.hnca.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.bbmtoa.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.whvtc.net/yyoa/checkWaitdo.jsp?userID=1
http://www.fjlh.com.cn:8080/yyoa/checkWaitdo.jsp?userID=1
http://www.saptcom.net/yyoa/checkWaitdo.jsp?userID=1
http://oa.jstedu.com/yyoa/checkWaitdo.jsp?userID=1
http://oa.ticom.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.sciae.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.zxdoa.cn/yyoa/checkWaitdo.jsp?userID=1
http://qudao.seeyon.com/yyoa/checkWaitdo.jsp?userID=1
http://www.brightoa.com/yyoa/checkWaitdo.jsp?userID=1
http://bg.aimin.gov.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.hnlt.com.cn/yyoa/checkWaitdo.jsp?userID=1
http://www.yaoye.cn/yyoa/checkWaitdo.jsp?userID=1
http://oa.holpe.net/yyoa/checkWaitdo.jsp?userID=1
http://211.144.15.87:8080/yyoa/checkWaitdo.jsp?userID=1
http://www.baojiyijian.com:8080/yyoa/checkWaitdo.jsp?userID=1

漏洞证明:

http://115.238.97.83/yyoa/checkWaitdo.jsp?userID=1

1.png


http://oa.shanghai-fanuc.com.cn/yyoa/checkWaitdo.jsp?userID=1

2.png


http://oa.wnq.com.cn/yyoa/checkWaitdo.jsp?userID=1

3.png


http://218.25.24.214:8083/yyoa/checkWaitdo.jsp?userID=1

4.png


http://office.xce.com.cn/yyoa/checkWaitdo.jsp?userID=1

5.png

修复方案:

至少做个整形转换吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-05 10:21

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无