VULHUB ™

### 简要描述： JPORTAL资源整合SQL注射漏洞 ### 详细说明： 突然发现大汉网络的JPORTAL资源整合系统在一般应用里面，SO... 我来了 文件路径： /pertool_subsite/read/favo_ajax_for_gen.jsp 部分代码为： ``` }else if("DO".equals(opr)){ if (!type.equals("11")||url.trim().length()==0||paperTitle.trim().length()==0){ out.clear(); out.print("false"); return; } ArrayList<Pertool_CollectionEntity> list = fblf.getCollectionListEntityByUserId(userid,"",0,0); String title = paperTitle; for(int i=0; i<list.size(); i++){ Pertool_CollectionEntity e = list.get(i); if(title.equals(e.getVc_title())){ out.clear(); out.println("true"); fblf.delAllCollectionById(e.getI_id()); //减分，取消推荐算5分 Pertool_Score ps = new Pertool_Score(); ps.decScore(infoid, 5); break; } } ``` getCollectionListEntityByUserId函数的userid参数存在注入 （opr必须为DO,type必须为11） http://www.simt.com.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=1&url=1&title=1 [<img src="https://images.seebug.org/upload/201501/302228339ef6cd470d8602f5f11d4e6f72beaf48.jpg" alt="1.jpg" width="600"...

### 简要描述： JPORTAL资源整合SQL注射漏洞 ### 详细说明： 突然发现大汉网络的JPORTAL资源整合系统在一般应用里面，SO... 我来了 文件路径： /pertool_subsite/read/favo_ajax_for_gen.jsp 部分代码为： ``` }else if("DO".equals(opr)){ if (!type.equals("11")||url.trim().length()==0||paperTitle.trim().length()==0){ out.clear(); out.print("false"); return; } ArrayList<Pertool_CollectionEntity> list = fblf.getCollectionListEntityByUserId(userid,"",0,0); String title = paperTitle; for(int i=0; i<list.size(); i++){ Pertool_CollectionEntity e = list.get(i); if(title.equals(e.getVc_title())){ out.clear(); out.println("true"); fblf.delAllCollectionById(e.getI_id()); //减分，取消推荐算5分 Pertool_Score ps = new Pertool_Score(); ps.decScore(infoid, 5); break; } } ``` getCollectionListEntityByUserId函数的userid参数存在注入 （opr必须为DO,type必须为11） http://www.simt.com.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=1&url=1&title=1 [<img src="https://images.seebug.org/upload/201501/302228339ef6cd470d8602f5f11d4e6f72beaf48.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/302228339ef6cd470d8602f5f11d4e6f72beaf48.jpg) http://portal.jinan.gov.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=11&url=1&title=1 [<img src="https://images.seebug.org/upload/201501/30223242106433a83dcc8aaed4ba56e08ddfe571.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/30223242106433a83dcc8aaed4ba56e08ddfe571.jpg) sqlmap 可以直接跑出数据： http://www.simt.com.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=1&url=1&title=1 [<img src="https://images.seebug.org/upload/201501/30223327b4e3410f63f2a30e96f4f3cb30da84e3.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/30223327b4e3410f63f2a30e96f4f3cb30da84e3.jpg) 5个案例： http://www.simt.com.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=11&url=1&title=1 http://portal.jinan.gov.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=11&url=1&title=1 http://www.zj.gov.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=11&url=1&title=1 http://inb.ningbo.gov.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=11&url=1&title=1 http://pertool.sdds.gov.cn/pertool_subsite/read/favo_ajax_for_gen.jsp?opr=DO&uid=1&type=11&url=1&title=1 ### 漏洞证明： 数据： [<img src="https://images.seebug.org/upload/201501/30223327b4e3410f63f2a30e96f4f3cb30da84e3.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/30223327b4e3410f63f2a30e96f4f3cb30da84e3.jpg)