### 简要描述: 辛苦了。另外一个路径 ### 详细说明: 路径略微有点不同 看越权的 http://xxgk.jiangyan.gov.cn/xxgk/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/04140118b5f9ab5acef88a8d08b61048f1d98201.png" alt="image011.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04140118b5f9ab5acef88a8d08b61048f1d98201.png) http://xxgk.nbhtz.gov.cn/gxxxgk/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/04140142258e25f347c1ffe6f87f303fc9856eb2.png" alt="image013.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04140142258e25f347c1ffe6f87f303fc9856eb2.png) http://xxgk.yichang.gov.cn/gov/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/04140220e12649094ad67a97ff09cbed2e267bd8.png" alt="image015.png" width="600"...
### 简要描述: 辛苦了。另外一个路径 ### 详细说明: 路径略微有点不同 看越权的 http://xxgk.jiangyan.gov.cn/xxgk/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/04140118b5f9ab5acef88a8d08b61048f1d98201.png" alt="image011.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04140118b5f9ab5acef88a8d08b61048f1d98201.png) http://xxgk.nbhtz.gov.cn/gxxxgk/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/04140142258e25f347c1ffe6f87f303fc9856eb2.png" alt="image013.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04140142258e25f347c1ffe6f87f303fc9856eb2.png) http://xxgk.yichang.gov.cn/gov/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/04140220e12649094ad67a97ff09cbed2e267bd8.png" alt="image015.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04140220e12649094ad67a97ff09cbed2e267bd8.png) http://xxgk.ouhai.gov.cn/xxgk/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/041402535cd4b146fd89188b94b24fbcc4797b2f.png" alt="image016.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/041402535cd4b146fd89188b94b24fbcc4797b2f.png) http://xxgk.ycxl.gov.cn/gov/workflow/objectbox/selectx_userlist.jsp [<img src="https://images.seebug.org/upload/201403/0414031676c71d05a09572aaf34c0241ea771a43.png" alt="image017.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0414031676c71d05a09572aaf34c0241ea771a43.png) ### 漏洞证明: 用其中一个来做SQL注入的演示。 http://xxgk.jiangyan.gov.cn/xxgk/workflow/objectbox/selectx_userlist.jsp?fn_Keywords=+%E6%B2%99%E5%BF%97%E4%BC%9F+&perm=&cPage=1&tiao= [<img src="https://images.seebug.org/upload/201403/041403307d5612beabfa95afb6f002fa6a66e583.png" alt="image019.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/041403307d5612beabfa95afb6f002fa6a66e583.png) [<img src="https://images.seebug.org/upload/201403/04140345c13491c994acac593e5bebdbccbfe979.png" alt="image021.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04140345c13491c994acac593e5bebdbccbfe979.png) [<img src="https://images.seebug.org/upload/201403/0414035577a121a9d46b497f42d2097ff6c60cb9.png" alt="image022.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0414035577a121a9d46b497f42d2097ff6c60cb9.png) [<img src="https://images.seebug.org/upload/201403/041404079c8eea5eb63515ff8263f5e38c33c706.png" alt="image024.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/041404079c8eea5eb63515ff8263f5e38c33c706.png)
