<p>漏洞文件:/jcms/jcms_files/jcms1/web1/site/module/sitesearch/opr_classajax.jsp</p><p>漏洞参数:?classid=11</p><p>漏洞成因:对参数没有做过滤处理,直接导致注入产生</p><p>漏洞分析:</p><p>opr_classajax.jsp文件:</p><p><br></p><pre class="lang-java" data-lang="java"><%@page language="java" contentType="text/html; charset=UTF-8"%> <%@page import="com.hanweb.common.util.Convert"%> <%@page import="jcms.dbmanager.Manager"%> <%@page import="com.hanweb.common.util.Convert"%> <%@page import="jcms.dbmanager.Manager"%> <% String classid = Convert.getParameter(request,"classid","0");//获取参数,未过滤 String[][] data = null; String strData = ""; if(!classid.equals("0")){ //classid不为0就进入判断了 String sql = "select i_id,vc_name from jcms_virtualcatalog where i_cataid = " + classid;//直接拼接SQL语句,形成注入 data = Manager.doQuery("1",sql); if(data != null && data.length > 0){ for(int i = 0;i < data.length;i++){ if(i == data.length - 1){ strData += data[i][0]; strData += "-"; strData += data[i][1]; }else{...
<p>漏洞文件:/jcms/jcms_files/jcms1/web1/site/module/sitesearch/opr_classajax.jsp</p><p>漏洞参数:?classid=11</p><p>漏洞成因:对参数没有做过滤处理,直接导致注入产生</p><p>漏洞分析:</p><p>opr_classajax.jsp文件:</p><p><br></p><pre class="lang-java" data-lang="java"><%@page language="java" contentType="text/html; charset=UTF-8"%> <%@page import="com.hanweb.common.util.Convert"%> <%@page import="jcms.dbmanager.Manager"%> <%@page import="com.hanweb.common.util.Convert"%> <%@page import="jcms.dbmanager.Manager"%> <% String classid = Convert.getParameter(request,"classid","0");//获取参数,未过滤 String[][] data = null; String strData = ""; if(!classid.equals("0")){ //classid不为0就进入判断了 String sql = "select i_id,vc_name from jcms_virtualcatalog where i_cataid = " + classid;//直接拼接SQL语句,形成注入 data = Manager.doQuery("1",sql); if(data != null && data.length > 0){ for(int i = 0;i < data.length;i++){ if(i == data.length - 1){ strData += data[i][0]; strData += "-"; strData += data[i][1]; }else{ strData += data[i][0]; strData += "-"; strData += data[i][1]; strData += ","; } } } } out.print(strData); %> </pre>