### 简要描述: 貌似这处没报过。 ### 详细说明: 大汉政府信息公开系统 [<img src="https://images.seebug.org/upload/201510/3012034924e2fc37691ba849e0141f4c8851bda9.png" alt="aaaaaaaaaaaa11111111111111111111.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/3012034924e2fc37691ba849e0141f4c8851bda9.png) [<img src="https://images.seebug.org/upload/201510/30120419c05094dda31014bac430bf567fa05754.png" alt="aaaaaaaaaaaaaa2222222222222222222222222222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/30120419c05094dda31014bac430bf567fa05754.png) 参数applystarttime、webid没有做任何处理就直接可以作为sql语句拼接,会造成sql注入。 ``` POST /xxgk/jcms_files/jcms1/web1/site/zfxxgk/ysqgk/ysqgksearch.jsp HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded UA-CPU: AMD64 Accept-Encoding: gzip, deflate...
### 简要描述: 貌似这处没报过。 ### 详细说明: 大汉政府信息公开系统 [<img src="https://images.seebug.org/upload/201510/3012034924e2fc37691ba849e0141f4c8851bda9.png" alt="aaaaaaaaaaaa11111111111111111111.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/3012034924e2fc37691ba849e0141f4c8851bda9.png) [<img src="https://images.seebug.org/upload/201510/30120419c05094dda31014bac430bf567fa05754.png" alt="aaaaaaaaaaaaaa2222222222222222222222222222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/30120419c05094dda31014bac430bf567fa05754.png) 参数applystarttime、webid没有做任何处理就直接可以作为sql语句拼接,会造成sql注入。 ``` POST /xxgk/jcms_files/jcms1/web1/site/zfxxgk/ysqgk/ysqgksearch.jsp HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded UA-CPU: AMD64 Accept-Encoding: gzip, deflate Content-Length: 56 Host: xxgk.taixing.gov.cn Pragma: no-cache Cookie: JSESSIONID=6465D3E7DE8B2E9090532C8874194423 currpage=&stateid=1&applystarttime=&applyendtime=&webid=1 ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201510/3012055448301325009847331d66c1f6cf985e3c.jpg" alt="zzzzzzzzzzzz111111111111111111.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/3012055448301325009847331d66c1f6cf985e3c.jpg) [<img src="https://images.seebug.org/upload/201510/301207164097a3a7b862a05ea981374209d4a82a.jpg" alt="zzzzzzzzzzzzzzzz22222222222222222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/301207164097a3a7b862a05ea981374209d4a82a.jpg) [<img src="https://images.seebug.org/upload/201510/301207280fcf010f384dc15ef00c38c24e05534a.jpg" alt="zzzzzzzzzzzzzz3333333333333333333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/301207280fcf010f384dc15ef00c38c24e05534a.jpg) [<img src="https://images.seebug.org/upload/201510/3012073879e8622e46ed79f417be35360622d2a9.jpg" alt="zzzzzzzzzzzzzzz4444444444444444444444.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/3012073879e8622e46ed79f417be35360622d2a9.jpg) [<img src="https://images.seebug.org/upload/201510/301207480b47756cc8acb1437a33525df8685a16.jpg" alt="zzzzzzzzzzzzzzzzzzz5555555555555555555.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/301207480b47756cc8acb1437a33525df8685a16.jpg) 案例: ``` http://zwgk.taojiang.gov.cn/zwgk/jcms_files/jcms1/web1/site/zfxxgk/ysqgk/ysqgksearch.jsp http://zfxxgk.liaocheng.gov.cn/xxgk/jcms_files/jcms1/web1/site/zfxxgk/ysqgk/ysqgksearch.jsp http://zfxx.ninghai.gov.cn/nhxxgk/jcms_files/jcms1/web1/site/zfxxgk/ysqgk/ysqgksearch.jsp http://xxgk.taixing.gov.cn/xxgk/jcms_files/jcms1/web1/site/zfxxgk/ysqgk/ysqgksearch.jsp http://xxgk.hg.gov.cn/xxgk/jcms_files/jcms1/web1/site/zfxxgk/ysqgk/ysqgksearch.jsp ```
