JCMS系统opr_classajax.jsp SQL注入漏洞

<p>漏洞文件：/jcms/jcms_files/jcms1/web1/site/module/sitesearch/opr_classajax.jsp</p><p>漏洞参数：?classid=11</p><p>漏洞成因：对参数没有做过滤处理，直接导致注入产生</p><p>漏洞分析:</p><p>opr_classajax.jsp文件：</p><p><br></p><pre class="lang-java" data-lang="java">&lt;%@page language="java" contentType="text/html; charset=UTF-8"%&gt; &lt;%@page import="com.hanweb.common.util.Convert"%&gt; &lt;%@page import="jcms.dbmanager.Manager"%&gt; &lt;%@page import="com.hanweb.common.util.Convert"%&gt; &lt;%@page import="jcms.dbmanager.Manager"%&gt; &lt;% String classid = Convert.getParameter(request,"classid","0");//获取参数，未过滤 String[][] data = null; String strData = ""; if(!classid.equals("0")){ //classid不为0就进入判断了 String sql = "select i_id,vc_name from jcms_virtualcatalog where i_cataid = " + classid; //直接拼接SQL语句，形成注入 data = Manager.doQuery("1",sql); if(data != null &amp;&amp; data.length &gt; 0){ for(int i = 0;i &lt; data.length;i++){ if(i == data.length - 1){ strData += data[i][0]; strData += "-"; strData += data[i][1]; }else{ strData += data[i][0]; strData += "-"; strData += data[i][1]; strData += ","; } } } } out.print(strData); %&gt; </pre>