用友软件协作办公平台通用DBA权限SQL注入漏洞

### 简要描述： RT ### 详细说明： sys\sortListUI.jsp ``` String done=request.getParameter("done"); String nodeId=request.getParameter("nodeId"); String strWhere=""; String id=request.getParameter("id"); String srcName = BaseFunc.ISOToGBK(request.getParameter("srcName"));//注入点 String searchKey = StringUtil.NullToEmpty(BaseFunc.ISOToGBK(request.getParameter("searchKeyvalue")));//注入点 srcName = "".equals(srcName)|| "null".equals(srcName) || srcName==null?"":srcName; String lx=request.getParameter("lx");//0为分类项；1提示项 lx = "".equals(lx)|| "null".equals(lx) || lx==null?"0":lx; id = "".equals(id)|| "null".equals(id) || lx==null?"0":id; Sort sort= (Sort)ResourceManage.getContext("sort"); FieldSet fs=new WebFieldSet(); if("delete".equals(done)){ id=StringUtil.NullToEmpty(id).equals("")?"0":id; int row=sort.deleteSort(Integer.parseInt(id)); } DataTable DT; if(!searchKey.equals("")){ strWhere = "(SI03 like'"+srcName+"%' and SI10='"+lx+"') or SI01 like'%"+searchKey+"%' or SI02 like'%"+searchKey+"%'";//拼接 DT=sort.getSortByWhere(strWhere,1,100,lx);//带入查询 }else{ DT=sort.getSortByName(srcName+"/",lx); } ``` ### 漏洞证明： #1.http://www.elkay.com.cn/sys/sortListUI.jsp?searchKeyvalue=* [<img src="https://images.seebug.org/upload/201408/13231142562d1947a756b34f161ee25395aecbb1.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13231142562d1947a756b34f161ee25395aecbb1.jpg) #2.http://oa.danzi.com.cn:9090/sys/sortListUI.jsp?searchKeyvalue=* [<img src="https://images.seebug.org/upload/201408/13231839b95afb939e393dd95b4da37cd9f62d92.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13231839b95afb939e393dd95b4da37cd9f62d92.jpg) #3.http://fsd2014.f3322.org:9090/sys/sortListUI.jsp?searchKeyvalue=* [<img src="https://images.seebug.org/upload/201408/13231913d71f26e580f5c429539fe93531a422ca.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13231913d71f26e580f5c429539fe93531a422ca.jpg) #4.http://220.168.210.109:9090/sys/sortListUI.jsp?searchKeyvalue=* [<img src="https://images.seebug.org/upload/201408/132322478c0c3188cbcaca86a195f72e9be234f0.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/132322478c0c3188cbcaca86a195f72e9be234f0.jpg) #5.http://oa.shunhengli.com:9090/sys/sortListUI.jsp?searchKeyvalue=* [<img src="https://images.seebug.org/upload/201408/132324546b47bcb66218153cd4a6bb75e9997cfb.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/132324546b47bcb66218153cd4a6bb75e9997cfb.jpg)