用友协作办公平台通用多处SQL注入 | wooyun-2014-072145| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-072145

漏洞标题：用友协作办公平台通用多处SQL注入

漏洞作者：路人甲

提交时间：2014-08-13 10:38

修复时间：2014-11-08 10:40

公开时间：2014-11-08 10:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-08-13：细节已通知厂商并且等待厂商处理中
2014-08-18：厂商主动忽略漏洞，细节向第三方安全合作伙伴开放
2014-10-12：细节向核心白帽子及相关领域专家公开
2014-10-22：细节向普通白帽子公开
2014-11-01：细节向实习白帽子公开
2014-11-08：细节向公众公开

简要描述：

详细说明：

开发公司：用友软件
程序名称：FE协作办公平台
漏洞类型：SQL注入（GET）
漏洞文件：assetsGroupReport目录下多文件存在注入

/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01
/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01
/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01
/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01
/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01
/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01
/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

漏洞参数：unitCode
是否需要登录：否
关键字：intitle:FE协作办公平台
涉及版本：5.5.2/5.5版本
第一处：
/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01
源码分析一下：

<%
User user = (User) ResourceManage.getSession("User");
String unitCode=request.getParameter("unitCode");
String cVenCode=request.getParameter("cVenCode");
String startDate=request.getParameter("startDate");
String endDate=request.getParameter("endDate");
if(unitCode==null || "".equals(unitCode)){
        unitCode=user.getUnitId().toString();
}
if(cVenCode==null || "".equals(cVenCode)){
        cVenCode=HtmlFormat.format("");
}
if(startDate==null || "".equals(startDate)){
        startDate=HtmlFormat.format("");
}
if(endDate==null || "".equals(endDate)){
        endDate=HtmlFormat.format(new Date());
}
FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");
DataTable dt=far.getVendorContacts(cVenCode,startDate,endDate,unitCode);//参数带入getVendorContacts方法，未过滤
%>

跟踪到getVendorContacts

public DataTable getVendorContacts(String vCode, String startDate, String endDate, String unitCode)
  {
    String sql = "";
    if (1 == this.dao.getDataBaseType()) {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,v.VENDOR_NAME,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(h.BUY_DATE,'yyyy-MM-dd') BUY_DATE from " + 
        this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t," + this.dao.getTableName("VENDOR_INFO") + " v " + 
        " where t.TYPE_CODE=h.ASSETS_TYPE and v.VENDOR_CODE=h.VENDOR_NAME and h.FIXED_TYPE='1' ";
    }
    else {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,v.VENDOR_NAME,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE from " + 
        this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t," + this.dao.getTableName("VENDOR_INFO") + " v " + 
        " where t.TYPE_CODE=h.ASSETS_TYPE and v.VENDOR_CODE=h.VENDOR_NAME and h.FIXED_TYPE='1' ";
    }
    if ((unitCode != null) && (!"".equals(unitCode))) {//参数只判断是否为null，就带入SQL语句了,注入产生
      sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'";
    }
    if ((vCode != null) && (!"".equals(vCode))) {
      sql = sql + " and v.VENDOR_CODE='" + vCode + "'";
    }
    if ((startDate != null) && (!"".equals(startDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";
      }
    }
    if ((endDate != null) && (!"".equals(endDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";
      }
    }
    return this.dao.getDataTable(sql, 1, 2147483647);
  }

实例演示：
1. FE协作办公平台 5.5.2
http://oa.hzuf.com:9090//assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

2. FE协作办公平台 5.5
http://oa.peizheng.net.cn/assetsGroupReport/vendorContacts.jsp?unitCode=11&cVenCode=22&startDate=2012-01-01&endDate=2012-02-01

第二处：
/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01
代码分析：

<%
User user = (User) ResourceManage.getSession("User");
String unitCode=request.getParameter("unitCode");
String deptCode=request.getParameter("deptCode");
String startDate=request.getParameter("startDate");
String endDate=request.getParameter("endDate");
String key=request.getParameter("key");
if(unitCode==null || "".equals(unitCode)){
        unitCode=user.getUnitId().toString();
}
if(deptCode==null || "".equals(deptCode)){
        deptCode=HtmlFormat.format("");
}
if(key==null || "".equals(key)){
        key=HtmlFormat.format("");
}
if(startDate==null || "".equals(startDate)){
        startDate=HtmlFormat.format("");
}
if(endDate==null || "".equals(endDate)){
        endDate=HtmlFormat.format(new Date());
}
FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");
DataTable dt=far.getNoFixedAssetsList(deptCode,startDate,endDate,key,unitCode);//这里参数带入了getNoFixedAssetsList方法，之前未作过滤处理
%>

跟踪到getNoFixedAssetsList方法体：

public DataTable getNoFixedAssetsList(String detpNo, String startDate, String endDate, String key, String unitCode)
  {
    String sql = "";
    if (1 == this.dao.getDataBaseType()) {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(h.BUY_DATE,'yyyy-MM-dd') BUY_DATE,SU02,h.LOCATION  from " + 
        this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + 
        " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='0' and h.ASSETS_STATUS<4 ";
    }
    else {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE,SU02,h.LOCATION  from " + 
        this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + 
        " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='0' and h.ASSETS_STATUS<4 ";
    }
    if ((unitCode != null) && (!"".equals(unitCode))) {//这里只是判断是否为null，就带入SQL语句了，导致注入
      sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'";
    }
    if ((detpNo != null) && (!"".equals(detpNo))) {
      sql = sql + " and SG00='" + detpNo + "'";
    }
    if ((startDate != null) && (!"".equals(startDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";
      }
    }
    if ((endDate != null) && (!"".equals(endDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";
      }
    }
    if ((key != null) && (!"".equals(key))) {
      sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')";
    }
    sql = sql + " order by SG02,BUY_DATE";
    return this.dao.getDataTable(sql, 1, 2147483647);
  }

实例演示;
1. FE协作办公平台 5.5.2
http://oa.hzuf.com:9090/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

文件参数有区别,只能这样证明不同文件了
2. FE协作办公平台 5.5
http://oa.peizheng.net.cn/assetsGroupReport/notFixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

第三处：
/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01
代码分析：

<%
User user = (User) ResourceManage.getSession("User");
String unitCode=request.getParameter("unitCode");
String deptCode=request.getParameter("deptCode");
String startDate=request.getParameter("startDate");
String endDate=request.getParameter("endDate");
String key=request.getParameter("key");
if(unitCode==null || "".equals(unitCode)){
        unitCode=user.getUnitId().toString();
}
if(deptCode==null || "".equals(deptCode)){
        deptCode=HtmlFormat.format("");
}
if(key==null || "".equals(key)){
        key=HtmlFormat.format("");
}
if(startDate==null || "".equals(startDate)){
        startDate=HtmlFormat.format("");
}
if(endDate==null || "".equals(endDate)){
        endDate=HtmlFormat.format(new Date());
}
FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");
DataTable dt=far.getAssetsScrapList(deptCode,startDate,endDate,key,unitCode);//参数未过滤带入getAssetsScrapList方法
%>

跟踪到getAssetsScrapList方法体：

public DataTable getAssetsScrapList(String detpNo, String startDate, String endDate, String key, String unitCode)
  {
    String sql = "";
    if (1 == this.dao.getDataBaseType()) {
      sql = "select h.ID,SG02,SU02,h.ASSETS_NAME,s.TYPE,(CASE WHEN s.ASSETS_TYPE=1 THEN '是固定资产' ELSE '非固定资产' END)as ASSETS_TYPE,s.ASSETS_NO,s.NORM_MODEL,s.MANUFACTURER,s.BUY_DATE,s.USE_DATE,s.USE_YEAR,s.ASSETS_VALUE,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE  from " + 
        this.dao.getTableName("ASSETS_SCRAP") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP,SYS_USERS " + 
        " where s.ASSETS_ID=h.ID and s.APPLY_DEPT=SG00 and h.USE_USER=SU00 and s.STATUS=2 ";
    }
    else {
      sql = "select h.ID,SG02,SU02,h.ASSETS_NAME,s.TYPE,(CASE WHEN s.ASSETS_TYPE=1 THEN '是固定资产' ELSE '非固定资产' END)as ASSETS_TYPE,s.ASSETS_NO,s.NORM_MODEL,s.MANUFACTURER,s.BUY_DATE,s.USE_DATE,s.USE_YEAR,s.ASSETS_VALUE,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE  from " + 
        this.dao.getTableName("ASSETS_SCRAP") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP,SYS_USERS " + 
        " where s.ASSETS_ID=h.ID and s.APPLY_DEPT=SG00 and h.USE_USER=SU00 and s.STATUS=2 ";
    }
    if ((unitCode != null) && (!"".equals(unitCode))) { //这里通用只是判断是否为null，就带入SQL语句拼接了，注入产生
      sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'";
    }
    if ((detpNo != null) && (!"".equals(detpNo))) {
      sql = sql + " and SG00='" + detpNo + "'";
    }
    if ((startDate != null) && (!"".equals(startDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";
      }
    }
    if ((endDate != null) && (!"".equals(endDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";
      }
    }
    if ((key != null) && (!"".equals(key))) {
      sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')";
    }
    sql = sql + " order by SG00,APPLY_DATE";
    return this.dao.getDataTable(sql, 1, 2147483647);
  }
}

实例演示：
1. FE协作办公平台 5.5.2
http://oa.hzuf.com:9090/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

2. FE协作办公平台 5.5
http://oa.peizheng.net.cn/assetsGroupReport/fixedAssetsScrapList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

第四处：
/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01
源码分析：

<%
User user = (User) ResourceManage.getSession("User");
String unitCode=request.getParameter("unitCode");
String deptCode=request.getParameter("deptCode");
String startDate=request.getParameter("startDate");
String endDate=request.getParameter("endDate");
String key=request.getParameter("key");
if(unitCode==null || "".equals(unitCode)){
        unitCode=user.getUnitId().toString();
}
if(deptCode==null || "".equals(deptCode)){
        deptCode=HtmlFormat.format("");
}
if(key==null || "".equals(key)){
        key=HtmlFormat.format("");
}
if(startDate==null || "".equals(startDate)){
        startDate=HtmlFormat.format("");
}
if(endDate==null || "".equals(endDate)){
        endDate=HtmlFormat.format(new Date());
}
FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");
DataTable dt=far.getFixedAssetsList(deptCode,startDate,endDate,key,unitCode);//参数直接带入getFixedAssetsList方法
%>

跟踪到getFixedAssetsList方法体：

public DataTable getFixedAssetsList(String detpNo, String startDate, String endDate, String key, String unitCode)
  {
    String sql = "";
    if (1 == this.dao.getDataBaseType()) {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,to_char(BUY_DATE,'yyyy-MM-dd') BUY_DATE,SU02,h.LOCATION  from " + 
        this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + 
        " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='1' and h.ASSETS_STATUS<4 ";
    }
    else {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,h.ASSETS_NAME,h.ASSETS_NO,t.TYPE_NAME,h.NORM_MODEL,h.UNIT_NAME,h.MANUFACTURER,h.QUANTITY,h.ASSETS_VALUE,Convert(VarChar(10),h.BUY_DATE,120)as BUY_DATE,SU02,h.LOCATION  from " + 
        this.dao.getTableName("ASSETS_HUB") + " h," + this.dao.getTableName("ASSETS_TYPE") + " t,SYS_GROUP,SYS_USERS " + 
        " where t.TYPE_CODE=h.ASSETS_TYPE and h.USE_DEPT=SG00 and USE_USER=SU00 and h.FIXED_TYPE='1' and h.ASSETS_STATUS<4 ";
    }
    if ((unitCode != null) && (!"".equals(unitCode))) {////看到这里，就知道注入有了
      sql = sql + " and h.UNITCODE='" + getUnitCode(unitCode) + "'";
    }
    if ((detpNo != null) && (!"".equals(detpNo))) {
      sql = sql + " and SG00='" + detpNo + "'";
    }
    if ((startDate != null) && (!"".equals(startDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')>=substr('" + startDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";
      }
    }
    if ((endDate != null) && (!"".equals(endDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(h.BUY_DATE,'yyyy-MM-dd')<=substr('" + endDate + "',0,10) ";
      }
      else {
        sql = sql + " and Convert(varchar(10),h.BUY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";
      }
    }
    if ((key != null) && (!"".equals(key))) {
      sql = sql + " and (h.ASSETS_NAME like '%" + key + "%' or h.NORM_MODEL like '%" + key + "%')";
    }
    sql = sql + " order by SG02,BUY_DATE";
    return this.dao.getDataTable(sql, 1, 2147483647);
  }

实例演示：
1. FE协作办公平台 5.5.2
http://oa.hzuf.com:9090/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

2. FE协作办公平台 5.5
http://oa.peizheng.net.cn/assetsGroupReport/fixedAssetsList.jsp?unitCode=11&deptCode=22&key=22&startDate=2012-01-01&endDate=2012-02-01

漏洞证明：

第五处：
/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01
源码分析：

<%
User user = (User) ResourceManage.getSession("User");
String unitCode=request.getParameter("unitCode");
String deptCode=request.getParameter("deptCode");
String startDate=request.getParameter("startDate");
String endDate=request.getParameter("endDate");
if(unitCode==null || "".equals(unitCode)){
        unitCode=user.getUnitId().toString();
}
if(deptCode==null || "".equals(deptCode)){
        deptCode=HtmlFormat.format("");
}
if(startDate==null || "".equals(startDate)){
        startDate=HtmlFormat.format("");
}
if(endDate==null || "".equals(endDate)){
        endDate=HtmlFormat.format(new Date());
}
FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");
DataTable dt=far.getAssetsTestList(deptCode,startDate,endDate,unitCode);//参数未过滤带入方法getAssetsTestList中
%>

跟踪到getAssetsTestList方法体：

public DataTable getAssetsTestList(String detpNo, String startDate, String endDate, String unitCode)
  {
    String sql = "";
    if (1 == this.dao.getDataBaseType()) {
      sql = "select DEFASSETS1,DEFASSETS2,DEFASSETS3,DEFASSETS4,DEFASSETS5,ID,SG02,SU02,ASSETS_NO,QUANTITY,ASSETS_NAME,NORM_MODEL,LOCATION,to_char(BUY_DATE,'yyyy-MM-dd')as BUY_DATE,MANUFACTURER,TEST_CYCLE,TEST_UNIT,to_char(LAST_DATE,'yyyy-MM-dd')  LAST_DATE,to_char(NEXT_DATE,'yyyy-MM-dd') NEXT_DATE from " + 
        this.dao.getTableName("ASSETS_HUB") + ",SYS_GROUP,SYS_USERS " + 
        " where USE_DEPT=SG00 and USE_USER=SU00 and TEST_TYPE='1' and ASSETS_STATUS<4 ";
    }
    else {
      sql = "select DEFASSETS1,DEFASSETS2,DEFASSETS3,DEFASSETS4,DEFASSETS5,ID,SG02,SU02,ASSETS_NO,QUANTITY,ASSETS_NAME,NORM_MODEL,LOCATION,Convert(VarChar(10),BUY_DATE,120) BUY_DATE,MANUFACTURER,TEST_CYCLE,TEST_UNIT,Convert(VarChar(10),LAST_DATE,120) LAST_DATE,Convert(VarChar(10),NEXT_DATE,120) NEXT_DATE  from " + 
        this.dao.getTableName("ASSETS_HUB") + ",SYS_GROUP,SYS_USERS " + 
        " where USE_DEPT=SG00 and USE_USER=SU00 and TEST_TYPE='1' and ASSETS_STATUS<4 ";
    }
    if ((unitCode != null) && (!"".equals(unitCode))) {//类似的判断，不多说了
      sql = sql + " and UNITCODE='" + getUnitCode(unitCode) + "'";
    }
    if ((detpNo != null) && (!"".equals(detpNo))) {
      sql = sql + " and SG00='" + detpNo + "'";
    }
    if ((startDate != null) && (!"".equals(startDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(NEXT_DATE,'yyyy-MM-dd')<='" + startDate + "' ";
      }
      else {
        sql = sql + " and Convert(varchar(10),NEXT_DATE,120)<=Convert(varchar(10),'" + startDate + "',120) ";
      }
    }
    if ((endDate != null) && (!"".equals(endDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(NEXT_DATE,'yyyy-MM-dd')<='" + endDate + "' ";
      }
      else {
        sql = sql + " and Convert(varchar(10),NEXT_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";
      }
    }
    sql = sql + " order by SG02,NEXT_DATE asc";
    System.out.println("===============" + sql);
    return this.dao.getDataTable(sql, 1, 2147483647);
  }

实例证明：
1. FE协作办公平台 5.5.2
http://oa.hzuf.com:9090/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

2. FE协作办公平台 5.5
http://oa.peizheng.net.cn/assetsGroupReport/assetsTestList.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

第六处：
/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01
源码分析：

<%
User user = (User) ResourceManage.getSession("User");
String unitCode=request.getParameter("unitCode");
String deptCode=request.getParameter("deptCode");
String startDate=request.getParameter("startDate");
String endDate=request.getParameter("endDate");
if(unitCode==null || "".equals(unitCode)){
        unitCode=user.getUnitId().toString();
}
if(deptCode==null || "".equals(deptCode)){
        deptCode=HtmlFormat.format("");
}
if(startDate==null || "".equals(startDate)){
        startDate=HtmlFormat.format("");
}
if(endDate==null || "".equals(endDate)){
        endDate=HtmlFormat.format(new Date());
}
FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");
DataTable dt=far.getAssetsTest(deptCode,startDate,endDate,unitCode);//参数带入getAssetsTest方法
%>

跟踪到getAssetsTest方法体：

public DataTable getAssetsTest(String detpNo, String startDate, String endDate, String unitCode)
  {
    String sql = "";
    if (1 == this.dao.getDataBaseType()) {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE,s.NORM_MODEL,s.MANUFACTURER,s.TEST_UNIT,s.CERTIFI_NO,s.TEST_PRICE,to_char(s.NEXT_DATE,'yyyy-MM-dd')as NEXT_DATE,s.TEST_RESULT  from " + 
        this.dao.getTableName("ASSETS_TEST") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + 
        " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";
    }
    else {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE,s.NORM_MODEL,s.MANUFACTURER,s.TEST_UNIT,s.CERTIFI_NO,s.TEST_PRICE,Convert(VarChar(10),s.NEXT_DATE,120) NEXT_DATE,s.TEST_RESULT  from " + 
        this.dao.getTableName("ASSETS_TEST") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + 
        " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";
    }
    if ((unitCode != null) && (!"".equals(unitCode))) {//判断一模一样，同一人写的吧
      sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'";
    }
    if ((detpNo != null) && (!"".equals(detpNo))) {
      sql = sql + " and g.SG00='" + detpNo + "'";
    }
    if ((startDate != null) && (!"".equals(startDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')>='" + startDate + "' ";
      }
      else {
        sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";
      }
    }
    if ((endDate != null) && (!"".equals(endDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')<='" + endDate + "' ";
      }
      else {
        sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";
      }
    }
    return this.dao.getDataTable(sql, 1, 2147483647);
  }

实例演示，换两站演示：
1. FE协作办公平台 5.5.2
http://gzwnq.88ip.cn:9090/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

2.
http://oa.suncorps.cn/assetsGroupReport/assetsTest.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

第七处：
/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01
源码分析：

<%
User user = (User) ResourceManage.getSession("User");
String unitCode=request.getParameter("unitCode");
String deptCode=request.getParameter("deptCode");
String startDate=request.getParameter("startDate");
String endDate=request.getParameter("endDate");
if(unitCode==null || "".equals(unitCode)){
        unitCode=user.getUnitId().toString();
}
if(deptCode==null || "".equals(deptCode)){
        deptCode=HtmlFormat.format("");
}
if(startDate==null || "".equals(startDate)){
        startDate=HtmlFormat.format("");
}
if(endDate==null || "".equals(endDate)){
        endDate=HtmlFormat.format(new Date());
}
FixedAssetsReport far=(FixedAssetsReport)ResourceManage.getContext("far");
DataTable dt=far.getAssetsService(deptCode,startDate,endDate,unitCode);//参数带入getAssetsService方法
%>

跟踪到getAssetsService方法体：

public DataTable getAssetsService(String detpNo, String startDate, String endDate, String unitCode)
  {
    String sql = "";
    if (1 == this.dao.getDataBaseType()) {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,to_char(s.APPLY_DATE,'yyyy-MM-dd')as APPLY_DATE,s.NORM_MODEL,s.ASSETS_VALUE,s.MANUFACTURER,s.SERVICE_UNIT,s.SERVICE_PRICE,s.SERVICE_TEL,s.SERVICE_RESULT  from " + 
        this.dao.getTableName("ASSETS_SERVICE") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + 
        " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";
    }
    else {
      sql = "select h.DEFASSETS1,h.DEFASSETS2,h.DEFASSETS3,h.DEFASSETS4,h.DEFASSETS5,h.ID,SG02,SU02,s.ASSETS_NO,ASSETS_NAME,Convert(VarChar(10),s.APPLY_DATE,120)as APPLY_DATE,s.NORM_MODEL,s.ASSETS_VALUE,s.MANUFACTURER,s.SERVICE_UNIT,s.SERVICE_PRICE,s.SERVICE_TEL,s.SERVICE_RESULT  from " + 
        this.dao.getTableName("ASSETS_SERVICE") + " s," + this.dao.getTableName("ASSETS_HUB") + " h,SYS_GROUP g,SYS_USERS u " + 
        " where h.ID=s.ASSETS_ID and s.APPLY_USER=u.SU00 and s.USE_DEPT=g.SG00 and s.REG_TYPE='1' and s.STATUS='2'";
    }
    if ((unitCode != null) && (!"".equals(unitCode))) {//又是这样的判断。。
      sql = sql + " and s.UNITCODE='" + getUnitCode(unitCode) + "'";
    }
    if ((detpNo != null) && (!"".equals(detpNo))) {
      sql = sql + " and g.SG00='" + detpNo + "'";
    }
    if ((startDate != null) && (!"".equals(startDate))) {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')>='" + startDate + "' ";
      }
      else {
        sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)>=Convert(varchar(10),'" + startDate + "',120) ";
      }
    }
    if ((endDate != null) && (!"".equals(endDate)))
    {
      if (1 == this.dao.getDataBaseType()) {
        sql = sql + " and to_char(s.APPLY_DATE,'yyyy-MM-dd')<='" + endDate + "' ";
      }
      else {
        sql = sql + " and Convert(varchar(10),s.APPLY_DATE,120)<=Convert(varchar(10),'" + endDate + "',120) ";
      }
    }
    return this.dao.getDataTable(sql, 1, 2147483647);
  }

实例演示：
1. FE协作办公平台 5.5.2
http://oa.suncorps.cn/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

2.
http://gzwnq.88ip.cn:9090/assetsGroupReport/assetsService.jsp?unitCode=11&deptCode=22&startDate=2012-01-01&endDate=2012-02-01

修复方案：

过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2014-11-08 10:40

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-072145

漏洞标题：用友协作办公平台通用多处SQL注入

相关厂商：用友软件

漏洞作者：路人甲

提交时间：2014-08-13 10:38

修复时间：2014-11-08 10:40

公开时间：2014-11-08 10:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-072145

漏洞标题：用友协作办公平台通用多处SQL注入

相关厂商：用友软件

漏洞作者： 路人甲

提交时间：2014-08-13 10:38

修复时间：2014-11-08 10:40

公开时间：2014-11-08 10:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-072145"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云