某行政服务系统一处sql注入漏洞

2015-04-09T00:00:00
ID SSV:95833
Type seebug
Reporter Root
Modified 2015-04-09T00:00:00

Description

简要描述:

rt

详细说明:

某行政服务系统一处sql注入漏洞。 谷歌搜索:技术支持:邯郸市连邦软件发展有限公司 inurl:list.aspx?columntag=

<img src="https://images.seebug.org/upload/201504/0819401456c702e5ce3935f842e55723b9a71e5d.png" alt="QQ图片20150408190835.png" width="600" onerror="javascript:errimg(this);">

案例如下:

http://www.jzxdzjc.gov.cn/portal/dzjc/jsjy/list.aspx?columnTag=%27zcfg%27 http://119.178.103.6:81/portal/dzjc/jsjy/list.aspx?columnTag='tzgg' http://221.193.244.207:82/portal/dzjc/jsjy/list.aspx?columnTag=%27zcfg%27 http://121.18.36.138:90/anxin/website/list.aspx?columntag=tscy http://211.142.37.152:90/portal/dzjc/jsjy/list.aspx?columnTag='dzjc_jxtb'

漏洞证明:

注入证明: 以http://www.jzxdzjc.gov.cn/portal/dzjc/jsjy/list.aspx?columnTag=%27zcfg%27为例:

<img src="https://images.seebug.org/upload/201504/081941340c5710421e897fbdcb9694448687f4de.png" alt="QQ图片20150408193702.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/0819412647b27a0ba8ef48d6cd8ef1bae1113fed.png" alt="QQ图片20150408193717.png" width="600" onerror="javascript:errimg(this);">