VULHUB ™

### 简要描述： 危害较大，还请官方及时修复并更新到各个用户。 ### 详细说明： 1.先以其众多大客户中的世界500强企业“绿地集团”作为通用性演示： ``` http://**.**.**.**/login/Login.jsp?logintype=1 ``` 注入点就在登陆框，注入参数是:loginid 下面是详情： ``` GET /login/VerifyLogin.jsp?loginfile=%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D41%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=&gopage=&formmethod=get&rnd=&serial=&username=&isie=false&loginid=test&userpassword=11111111111&tokenAuthKey=&islanguid=7&submit= HTTP/1.1 Host: **.**.**.** Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 DNT: 1 Referer: http://**.**.**.**/login/Login.jsp?logintype=1 Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: testBanCookie=test; JSESSIONID=abc3iQFuldczghbq-bz-u ``` 2.泛微集团分权管理demo： ```...

### 简要描述： 危害较大，还请官方及时修复并更新到各个用户。 ### 详细说明： 1.先以其众多大客户中的世界500强企业“绿地集团”作为通用性演示： ``` http://**.**.**.**/login/Login.jsp?logintype=1 ``` 注入点就在登陆框，注入参数是:loginid 下面是详情： ``` GET /login/VerifyLogin.jsp?loginfile=%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D41%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=&gopage=&formmethod=get&rnd=&serial=&username=&isie=false&loginid=test&userpassword=11111111111&tokenAuthKey=&islanguid=7&submit= HTTP/1.1 Host: **.**.**.** Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 DNT: 1 Referer: http://**.**.**.**/login/Login.jsp?logintype=1 Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: testBanCookie=test; JSESSIONID=abc3iQFuldczghbq-bz-u ``` 2.泛微集团分权管理demo： ``` http://**.**.**.**/login/Login.jsp?logintype=1 ``` ``` GET /login/VerifyLogin.jsp?loginfile=%2Flogin%2Flogin.jsp%2F%3FtemplateId%3D11%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=&gopage=&formmethod=post&rnd=&serial=&username=&isie=false&loginid=test&userpassword=1111111111111&tokenAuthKey=&islanguid=7&submit= HTTP/1.1 Host: **.**.**.** Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 DNT: 1 Referer: http://**.**.**.**/login/Login.jsp?logintype=1 Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: JSESSIONID=a3BoSiefRhK8; testBanCookie=test ``` ### 漏洞证明： 绿地集团注入证明: [<img src="https://images.seebug.org/upload/201509/17160736c0934289b4fea3b79130a83d3c27020e.jpg" alt="login.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/17160736c0934289b4fea3b79130a83d3c27020e.jpg) demo注入证明: [<img src="https://images.seebug.org/upload/201509/1716070852d8f594e33b6baf613bbabb012e80fd.jpg" alt="demo.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/1716070852d8f594e33b6baf613bbabb012e80fd.jpg)