Yonyou Cooperation Office fair-play kill SQL Injection
Yonyou Cooperation Office fair-play kill SQL Injection
It affects at least Version 5.5.2 (I don't know if it is the latest version )..
# Vulnerability files
/Cooperate/traceNodes. jsp
The vulnerability code is as follows:
<% User user = (User) ResourceManage. getSession ("User"); Dao dao = (Dao) ResourceManage. getContext ("dao"); String traceNodeGUID = HtmlFormat. format (request. getParameter ("traceNodeGUID"); String model_GUID = HtmlFormat. format (request. getParameter ("model_GUID"); String taskID = HtmlFormat. format (request. getParameter ("taskID"); if ("". equals (traceNodeGUID) {if (! "". Equals (taskID) {FieldSet nodeTraceFs = dao. getFieldSetByFilter ("WF_NODE_TRACE", "wn01 =" + user. getUserID () + "and wn02 =" + taskID); // locate the trail node GUIDif (nodeTraceFs! = Null) {traceNodeGUID = HtmlFormat. format (nodeTraceFs. getString ("wn03") ;}} Map map = new LinkedHashMap (); String [] ids = traceNodeGUID. split (","); for (int I = 0; I <ids. length; I ++) {map. put (ids [I], new HashMap ();} String tagValue = HtmlFormat. format (request. getParameter ("tagValue"); String tagShow = HtmlFormat. format (request. getParameter ("tagShow"); DataTable dtLeft = dao. getDataTable ("Select wn53, wn02 from wf_nodes, wf_model Where wm00 = wn01 and (wn04 = '1' or wn04 = '3' or wn04 = '8 ') and wm05 = '"+ model_GUID +" 'order by wn46 ", 1, Integer. MAX_VALUE); // The model_GUID parameter // DataTable dtRight = dao. getDataTable ("Select SPT00, SPT01 from TEMPLET_GROUP_V Where STS02 = '" + user. getUnitCode () + "'and spt00 in (" + id + ")", 1, Integer. MAX_VALUE); FieldSet fs = null; %>
In the third last row, model_GUID is vulnerable to SQL Injection caused by SQL statements without any filtering.
Vulnerability pseudo POC
#2 sqlmap test run data
Select two randomly for the Test. Test 1 below.
http://121.8.169.131:8089/cooperate/traceNodes.jsp?tagValue=1&tagShow=1&model_GUID=111&traceNodeGUID=111
Effect
Test 2
http://oa.zhcpt.edu.cn/cooperate/traceNodes.jsp?tagValue=1&tagShow=1&model_GUID=111&traceNodeGUID=111
Effect