大汉jcms某处SQL注入漏洞一枚

2014-12-29T00:00:00
ID SSV:93902
Type seebug
Reporter Root
Modified 2014-12-29T00:00:00

Description

简要描述:

RT

详细说明:

貌似通杀不少版本的~~ 直接分析了 漏洞文件:/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp 漏洞参数:fn_Keywords 漏洞类型:SQL注入(GET型) 漏洞分析: 先看opr_getcount.jsp文件:

``` ......//省掉前面无关代码 <% response.setHeader("Pragma","No-cache"); response.setHeader("Cache-Control","no-cache");
response.setDateHeader("Expires", 0); int colId = Convert.getParameterInt(request, "i_colid", 0); int infoId = Convert.getParameterInt(request, "i_infoid", 0); String pltype = Convert.getParameter(request, "pltype", "",true,true);//这个类型很重要,决定带入那个方法体

String strToPath = application.getRealPath("") + "/jcms_files/jcms" + strAppID+"/web"+strWebID+"/site/module/comment/";
String strIniPath = strToPath +"config/init.xml";
String strIpStyle = xmlFile.getContent("ipstyle", strIniPath);  
int start = Convert.getParameterInt(request,"startrecord",1);
int iPerPage = Convert.getParameterInt(request,"perpage",10);
int groupsize = Convert.getParameterInt(request,"groupsize",8);
String c_uuid = Convert.getParameter(request,"c_uuid","",true,true);
int totalNum = 0;
String strCommentStyle = "";

String strKeywords = Convert.getParameter(request, "fn_Keywords", "");
String strScope = Convert.getParameter(request, "fn_Scope");
String strStartTime = Convert.getParameter(request, "starttime");
String strEndTime = Convert.getParameter(request, "endtime");
String strTpl_vc_Ip = Convert.getIp(request);       //获取IPd地址
Jcms_Comment_InfoBLF commentBLF = new Jcms_Comment_InfoBLF(strAppID,strWebID);
Jcms_Comment_InfoBLF blf = new Jcms_Comment_InfoBLF(strAppID,strWebID);
ArrayList al = new ArrayList();
if("Y".equals(pltype)) {//当pltype为Y时,走这里
    totalNum = blf.getTotalNum(strScope, strKeywords, colId, infoId, strStartTime, strEndTime);//这里进入getTotalNum(...)函数中    
    strCommentStyle = xmlFile.getContent("scriptcode", strIniPath);
     // 原文
    al = blf.getEnt(strScope, strKeywords, colId, infoId, strStartTime, strEndTime, start, iPerPage+1);
}

...... ```

然后跟进getTotalNum(......)函数中:

public int getTotalNum(String strScope, String strKeywords, int colId, int infoId, String strStartTime, String strEndTime) { StringBuffer sbSql = new StringBuffer(128); StringBuffer strConditionBuf = new StringBuffer(128); try { strScope = Convert.getValue(strScope); strKeywords = Convert.getValue(strKeywords); strStartTime = Convert.getValue(strStartTime); strEndTime = Convert.getValue(strEndTime); if (!strScope.equals("")) { ////strScope随意为下面中的一个,都能拼接进SQL语句,导致注入产生 if (strScope.equalsIgnoreCase("vc_infoTitle")) { strConditionBuf.append(" AND vc_infotitle LIKE '%" + strKeywords + "%'"); } if (strScope.equalsIgnoreCase("vc_author")) { strConditionBuf.append(" AND vc_author LIKE '%" + strKeywords + "%'"); } if (strScope.equalsIgnoreCase("t_content")) { strConditionBuf.append(" AND t_content LIKE '%" + strKeywords + "%'"); } } if ((strStartTime.length() &gt; 0) && (strEndTime.length() &gt; 0)) { strConditionBuf.append(" AND c_createtime &gt;= '" + strStartTime + "'") .append(" AND c_createtime &lt;= '" + strEndTime + "'"); } else if ((strStartTime.length() &gt; 0) && (strEndTime.length() == 0)) { strConditionBuf.append(" AND c_createtime &gt;= '" + strStartTime + "'"); } else if ((strStartTime.length() == 0) && (strEndTime.length() &gt; 0)) { strConditionBuf.append(" AND c_createtime &lt;= '" + strEndTime + "'"); } sbSql.append("SELECT COUNT(i_id)") .append(" FROM jcms_comment_info") .append(" WHERE i_sid=0 AND b_ischeck=1") .append(" AND b_iscallback=0") .append(" AND i_columnid=").append(colId) .append(" AND i_infoid=").append(infoId) .append(strConditionBuf.toString()); String[][] strData = Manager.doQuery(this.strAppID, sbSql.toString()); if ((strData == null) || (strData.length == 0)) return 0; return Convert.getStringValueInt(strData[0][0]); } catch (Exception e) { LogWriter.error("getEnt Error:" + e, Jcms_Comment_InfoBLF.class); return 0; } finally { if ((sbSql != null) && (sbSql.length() &gt; 0)) { sbSql.delete(0, sbSql.length()); } if ((strConditionBuf != null) && (strConditionBuf.length() &gt; 0)) strConditionBuf.delete(0, strConditionBuf.length()); } }

实例演示: 1.版本:VJCMS2.6.7[U9] http://www.sqsc.gov.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle

<img src="https://images.seebug.org/upload/201412/2623033814630e62a209dcd34f015997b297f8dd.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

2.版本:VJCMS2.6.7[U9]-BJDEWGYXY[U3] http://www.bisu.edu.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle

<img src="https://images.seebug.org/upload/201412/26230452a2884bfb944aa29100d30d5220417409.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

3.版本:VJCMS2.6.3-ZZSZF[U11] http://xfxzz.zaozhuang.gov.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle

<img src="https://images.seebug.org/upload/201412/262306093d19099f2515cbe13bf00a2ac9f3bf48.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

4.版本:VJCMS2.6.7[U6] http://sha.sinotrans.com/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle

<img src="https://images.seebug.org/upload/201412/2623072309bff47eac0b2d01c4abee8f1602bf30.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

5.版本:VJCMS2.6.3-ZZSZF[U11] http://ipad.zaozhuang.gov.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle

<img src="https://images.seebug.org/upload/201412/262308310fef7e523c56b5d3db92418c6cc9ec10.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

见详细把