### 简要描述: RT ### 详细说明: 貌似通杀不少版本的~~ 直接分析了 漏洞文件:/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp 漏洞参数:fn_Keywords 漏洞类型:SQL注入(GET型) 漏洞分析: 先看opr_getcount.jsp文件: ``` ......//省掉前面无关代码 <% response.setHeader("Pragma","No-cache"); response.setHeader("Cache-Control","no-cache"); response.setDateHeader("Expires", 0); int colId = Convert.getParameterInt(request, "i_colid", 0); int infoId = Convert.getParameterInt(request, "i_infoid", 0); String pltype = Convert.getParameter(request, "pltype", "",true,true);//这个类型很重要,决定带入那个方法体 String strToPath = application.getRealPath("") + "/jcms_files/jcms" + strAppID+"/web"+strWebID+"/site/module/comment/"; String strIniPath = strToPath +"config/init.xml"; String strIpStyle = xmlFile.getContent("ipstyle", strIniPath); int start = Convert.getParameterInt(request,"startrecord",1); int iPerPage = Convert.getParameterInt(request,"perpage",10); int groupsize = Convert.getParameterInt(request,"groupsize",8); String c_uuid =...
### 简要描述: RT ### 详细说明: 貌似通杀不少版本的~~ 直接分析了 漏洞文件:/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp 漏洞参数:fn_Keywords 漏洞类型:SQL注入(GET型) 漏洞分析: 先看opr_getcount.jsp文件: ``` ......//省掉前面无关代码 <% response.setHeader("Pragma","No-cache"); response.setHeader("Cache-Control","no-cache"); response.setDateHeader("Expires", 0); int colId = Convert.getParameterInt(request, "i_colid", 0); int infoId = Convert.getParameterInt(request, "i_infoid", 0); String pltype = Convert.getParameter(request, "pltype", "",true,true);//这个类型很重要,决定带入那个方法体 String strToPath = application.getRealPath("") + "/jcms_files/jcms" + strAppID+"/web"+strWebID+"/site/module/comment/"; String strIniPath = strToPath +"config/init.xml"; String strIpStyle = xmlFile.getContent("ipstyle", strIniPath); int start = Convert.getParameterInt(request,"startrecord",1); int iPerPage = Convert.getParameterInt(request,"perpage",10); int groupsize = Convert.getParameterInt(request,"groupsize",8); String c_uuid = Convert.getParameter(request,"c_uuid","",true,true); int totalNum = 0; String strCommentStyle = ""; String strKeywords = Convert.getParameter(request, "fn_Keywords", ""); String strScope = Convert.getParameter(request, "fn_Scope"); String strStartTime = Convert.getParameter(request, "starttime"); String strEndTime = Convert.getParameter(request, "endtime"); String strTpl_vc_Ip = Convert.getIp(request);//获取IPd地址 Jcms_Comment_InfoBLF commentBLF = new Jcms_Comment_InfoBLF(strAppID,strWebID); Jcms_Comment_InfoBLF blf = new Jcms_Comment_InfoBLF(strAppID,strWebID); ArrayList al = new ArrayList(); if("Y".equals(pltype)) {//当pltype为Y时,走这里 totalNum = blf.getTotalNum(strScope, strKeywords, colId, infoId, strStartTime, strEndTime);//这里进入getTotalNum(...)函数中 strCommentStyle = xmlFile.getContent("scriptcode", strIniPath); // 原文 al = blf.getEnt(strScope, strKeywords, colId, infoId, strStartTime, strEndTime, start, iPerPage+1); } ...... ``` 然后跟进getTotalNum(......)函数中: ``` public int getTotalNum(String strScope, String strKeywords, int colId, int infoId, String strStartTime, String strEndTime) { StringBuffer sbSql = new StringBuffer(128); StringBuffer strConditionBuf = new StringBuffer(128); try { strScope = Convert.getValue(strScope); strKeywords = Convert.getValue(strKeywords); strStartTime = Convert.getValue(strStartTime); strEndTime = Convert.getValue(strEndTime); if (!strScope.equals("")) { ////strScope随意为下面中的一个,都能拼接进SQL语句,导致注入产生 if (strScope.equalsIgnoreCase("vc_infoTitle")) { strConditionBuf.append(" AND vc_infotitle LIKE '%" + strKeywords + "%'"); } if (strScope.equalsIgnoreCase("vc_author")) { strConditionBuf.append(" AND vc_author LIKE '%" + strKeywords + "%'"); } if (strScope.equalsIgnoreCase("t_content")) { strConditionBuf.append(" AND t_content LIKE '%" + strKeywords + "%'"); } } if ((strStartTime.length() > 0) && (strEndTime.length() > 0)) { strConditionBuf.append(" AND c_createtime >= '" + strStartTime + "'") .append(" AND c_createtime <= '" + strEndTime + "'"); } else if ((strStartTime.length() > 0) && (strEndTime.length() == 0)) { strConditionBuf.append(" AND c_createtime >= '" + strStartTime + "'"); } else if ((strStartTime.length() == 0) && (strEndTime.length() > 0)) { strConditionBuf.append(" AND c_createtime <= '" + strEndTime + "'"); } sbSql.append("SELECT COUNT(i_id)") .append(" FROM jcms_comment_info") .append(" WHERE i_sid=0 AND b_ischeck=1") .append(" AND b_iscallback=0") .append(" AND i_columnid=").append(colId) .append(" AND i_infoid=").append(infoId) .append(strConditionBuf.toString()); String[][] strData = Manager.doQuery(this.strAppID, sbSql.toString()); if ((strData == null) || (strData.length == 0)) return 0; return Convert.getStringValueInt(strData[0][0]); } catch (Exception e) { LogWriter.error("getEnt Error:" + e, Jcms_Comment_InfoBLF.class); return 0; } finally { if ((sbSql != null) && (sbSql.length() > 0)) { sbSql.delete(0, sbSql.length()); } if ((strConditionBuf != null) && (strConditionBuf.length() > 0)) strConditionBuf.delete(0, strConditionBuf.length()); } } ``` 实例演示: 1.版本:VJCMS2.6.7[U9] http://www.sqsc.gov.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle [<img src="https://images.seebug.org/upload/201412/2623033814630e62a209dcd34f015997b297f8dd.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2623033814630e62a209dcd34f015997b297f8dd.jpg) 2.版本:VJCMS2.6.7[U9]-BJDEWGYXY[U3] http://www.bisu.edu.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle [<img src="https://images.seebug.org/upload/201412/26230452a2884bfb944aa29100d30d5220417409.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/26230452a2884bfb944aa29100d30d5220417409.jpg) 3.版本:VJCMS2.6.3-ZZSZF[U11] http://xfxzz.zaozhuang.gov.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle [<img src="https://images.seebug.org/upload/201412/262306093d19099f2515cbe13bf00a2ac9f3bf48.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/262306093d19099f2515cbe13bf00a2ac9f3bf48.jpg) 4.版本:VJCMS2.6.7[U6] http://sha.sinotrans.com/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle [<img src="https://images.seebug.org/upload/201412/2623072309bff47eac0b2d01c4abee8f1602bf30.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2623072309bff47eac0b2d01c4abee8f1602bf30.jpg) 5.版本:VJCMS2.6.3-ZZSZF[U11] http://ipad.zaozhuang.gov.cn/jcms/jcms_files/jcms1/web2/site/module/comment/opr_getcount.jsp?fn_Keywords=q&starttime=&endtime=&pltype=Y&fn_Scope=vc_infoTitle [<img src="https://images.seebug.org/upload/201412/262308310fef7e523c56b5d3db92418c6cc9ec10.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/262308310fef7e523c56b5d3db92418c6cc9ec10.jpg) ### 漏洞证明: 见详细把
