用友软件协作办公平台通用DBA权限SQL注入漏洞之二

### 简要描述： RT ### 详细说明： 谷歌关键字： intitle:"fe协作" 注入点： common\selectUDR.jsp?id=* ``` <% //String sIsModelWindow="0"; UserAnalyse userAnalyse=(UserAnalyse)ResourceManage.getContext("userAnalyse"); String saveValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("id")));//注入点 String isModel=HtmlFormat.format(request.getParameter("isModel")); String tagValue=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagValue"))); String tagShow=HtmlFormat.format(StringUtil.ISOToGBK(request.getParameter("tagShow"))); String showValue=""; saveValue="null".equals(saveValue)?"":saveValue; //if("".equals(saveValue)){ //saveValue="null".equals(tagValue)?"":tagValue; //} Map map=null; if(!"".equals(saveValue)) map=userAnalyse.getAllUserName(saveValue); if(map!=null){ for(Iterator it=map.keySet().iterator();it.hasNext();){ String v=(String)it.next(); if(v!=null) showValue+=v+","; } if(!"".equals(showValue)){ showValue=showValue.substring(0,showValue.lastIndexOf(",")); } } String promptStr=request.getParameter("code"); %> ``` ### 漏洞证明： 1.http://119.145.194.122:9090/common/selectUDRTree.jsp?id=1* [<img src="https://images.seebug.org/upload/201408/13081952daf1df3ab14fd2954bc5097ababff33a.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13081952daf1df3ab14fd2954bc5097ababff33a.jpg) 2.http://220.168.210.109:9090/common/selectUDR.jsp?id=1* [<img src="https://images.seebug.org/upload/201408/13083157d35bacab765169c8aec2e4116862e2ac.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/13083157d35bacab765169c8aec2e4116862e2ac.jpg) 3.http://fsd2014.f3322.org:9090/common/selectUDR.jsp?id=1* --dbms=mssql [<img src="https://images.seebug.org/upload/201408/130832099ea7640d7c6c9e51164042067704be6a.jpg" alt="yy.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/130832099ea7640d7c6c9e51164042067704be6a.jpg)