VULHUB ™

### 简要描述： 释锐教育校校用平台通用SQL注入漏洞 ### 详细说明： 问题出现在info_list.jsp文件 [<img src="https://images.seebug.org/upload/201501/1411212640d43b2d8a122d1bea5320a9ba2d1c35.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1411212640d43b2d8a122d1bea5320a9ba2d1c35.png) ``` String categoryId = Util.dealNull(request.getParameter("categoryId")); if(categoryId.indexOf("08")==0){//特殊网站，特殊处理 response.sendRedirect(request.getContextPath()+"/news_zt/news_list.jsp?categoryId="+categoryId); } String keywords = Util.doParameter(request.getParameter("keywords")); if(categoryId.equals("")&&keywords.equals(""))categoryId = "01"; String readRecordSql = ""; String objectURL = ""; if(!keywords.equals("")){ readRecordSql = "select a.*,b.account,b.name from info a,person b where a.source=0 and a.hold_field6='1' and a.publish_user=b.uuid"; readRecordSql = "select * from ("+readRecordSql+") stb where category_id not in('17','18')"; readRecordSql += " and (info_title...

### 简要描述： 释锐教育校校用平台通用SQL注入漏洞 ### 详细说明： 问题出现在info_list.jsp文件 [<img src="https://images.seebug.org/upload/201501/1411212640d43b2d8a122d1bea5320a9ba2d1c35.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1411212640d43b2d8a122d1bea5320a9ba2d1c35.png) ``` String categoryId = Util.dealNull(request.getParameter("categoryId")); if(categoryId.indexOf("08")==0){//特殊网站，特殊处理 response.sendRedirect(request.getContextPath()+"/news_zt/news_list.jsp?categoryId="+categoryId); } String keywords = Util.doParameter(request.getParameter("keywords")); if(categoryId.equals("")&&keywords.equals(""))categoryId = "01"; String readRecordSql = ""; String objectURL = ""; if(!keywords.equals("")){ readRecordSql = "select a.*,b.account,b.name from info a,person b where a.source=0 and a.hold_field6='1' and a.publish_user=b.uuid"; readRecordSql = "select * from ("+readRecordSql+") stb where category_id not in('17','18')"; readRecordSql += " and (info_title like '%"+keywords+"%' or account like '"+keywords+"%' or name like '%"+keywords+"%')"; readRecordSql += " order by is_top desc,hold_field2 asc,publish_time desc,info_id desc"; objectURL = request.getRequestURI()+"?keywords="+keywords; } ``` 看下这句 String keywords = Util.doParameter(request.getParameter("keywords")); 获取到keywords，没有指定获取方法,所以GET POST都行 然后!keywords.equals("") 判断keywords是否为空,不为空就带入SQL语句 很明显的一个注入。 案例(谷歌搜索很多或者从官网的成功案例找也行)： http://www.nanmo.cn/info_list.jsp?keywords=1 http://www.sgzx.fx.edu.sh.cn/info_list.jsp?keywords=1 http://www.yk2z.ykedu.net/info_list.jsp?keywords=1 http://www.hshsh.pudong-edu.sh.cn/info_list.jsp?keywords=1 http://58.217.106.249/info_list.jsp?keywords=1 http://www.ycyz.com.cn/info_list.jsp?info_list.jsp?keywords=1 http://bhxx.jdedu.net/info_list.jsp?keywords=1 http://www.zhenchuan.sh.cn/po40/info_list.jsp?keywords=1 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201501/141125396487a0417ef5321c3647329074aed4c9.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/141125396487a0417ef5321c3647329074aed4c9.png) [<img src="https://images.seebug.org/upload/201501/14112546bb1e5074a0dd8f8e34fbc0140f64247b.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/14112546bb1e5074a0dd8f8e34fbc0140f64247b.png) [<img src="https://images.seebug.org/upload/201501/141125530c5f551a16b59d891e205a5fe979b047.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/141125530c5f551a16b59d891e205a5fe979b047.png) 不想一个个截了,截在一起 [<img src="https://images.seebug.org/upload/201501/14112603c5220550f26f07b2c936100963c6b5ee.png" alt="45.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/14112603c5220550f26f07b2c936100963c6b5ee.png)