大汉版通系统敏感信息泄露+SQL注入漏洞

### 简要描述： 大汉版通某系统存在比较严重的信息泄露另加两处SQL注入 ### 详细说明： 该系统为：大汉信息公开系统(xxgk) #1 信息泄露 漏洞文件路径 ``` /xxgk/setup/tools/getuserinfo.jsp ``` 网上的泄露案例如图所示 [<img src="https://images.seebug.org/upload/201405/17130719d0c89409c87efbc3b49207e48e957227.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/17130719d0c89409c87efbc3b49207e48e957227.jpg) #2 SQL注入 漏洞文件如下 ``` /xxgk/short_message/que_recemsg.jsp /xxgk/workflow/statistics/que_apply_sta.jsp ``` 引起漏洞的部分代码（/xxgk/short_message/que_recemsg.jsp） ``` strQueKeyWords = Convert.getParameter(request, "que_keywords"); strQueKeyWords1 = Convert.getParameter(request, "que_keywords1"); strQueScope = Convert.getParameter(request, "que_scope"); strStartDate = Convert.getParameter(request, "que_startdate"); strEndDate = Convert.getParameter(request, "que_enddate"); //高级检索的关键字优先 strQueKeyWords = (strQueKeyWords1.length() > 0) ? strQueKeyWords1 : strQueKeyWords; //组织时间条件 String strDateCond = ""; if (!"".equals(strStartDate) && !"".equals(strEndDate)) { strDateCond += " AND a.dt_sendtime >= '" + strStartDate + " 00:00:00' AND a.dt_sendtime <= '" + strEndDate + " 23:59:59'"; } else if (!"".equals(strStartDate) && "".equals(strEndDate)) { strDateCond += " AND a.dt_sendtime >= '" + strStartDate + " 00:00:00'"; } else if ("".equals(strStartDate) && !"".equals(strEndDate)) { strDateCond += " AND a.dt_sendtime <= '" + strEndDate + " 23:59:59'"; } // 查询条件部分 StringBuffer sbWhere = new StringBuffer(128); strTitle = "短消息→收件箱"; sbWhere.append(" a.vc_receiverid='"+ id +"'");//这里get提交的loginid参数 if(!"".equals(strQueKeyWords)) { String strQueKeyWords_ = strQueKeyWords.replaceAll("'","''"); sbWhere.append(" AND vc_msgtitle like '%" + strQueKeyWords_ + "%'"); } ``` 引起漏洞的部分代码（/xxgk/workflow/statistics/que_apply_sta.jsp） ``` <% //自行判断权限 String userid = Convert.getParameter(request, "userid"); //取得非子流程的流程定义 ModelEntity en = new ModelEntity(); en.setB_child(0); BasicFlowBLF bf = new BasicFlowBLF(); ArrayList al = bf.getModel(en); /*获取表单提交变量*/ String que_startdate = Convert.getParameter(request,"starttime"); String que_enddate = Convert.getParameter(request,"endtime"); String strModelname = Convert.getParameter(request,"modelname"); String strModelname1 = Convert.getParameter(request,"modelname1"); strModelname = ( strModelname1.length() > 0 ) ? strModelname1 : strModelname; /*定义变量、取值*/ String strTitle = "按申请记录统计" ; String startTime = ""; String endTime = ""; String modelName = ""; /*查询条件*/ StringBuffer sbWhere = new StringBuffer(128); sbWhere.append( " 1=1 "); if(que_startdate.length()>0){ startTime = " and dt_submittime >= '" + que_startdate+" 00:00:00'"; } if(que_enddate.length()>0){ endTime =" and dt_submittime <= '" + que_enddate+" 23:59:59'" ; } if(strModelname.length()>0){ modelName = " AND vc_flowcode = '"+ strModelname +"'"; } if(strModelname1.length()>0){ modelName = " AND vc_flowcode = '"+ strModelname1 +"'"; //... } ``` 可以看出上述几个参数均没有经过过滤 就直接带入了SQL查询，造成了SQL注入 #3 漏洞测试 这里我们随机在互联网上选择案例，采用sqlmap直接测试，参数 modelname1 案例SQL注入一： ``` http://xxgk.weifang.gov.cn/xxgk/workflow//statistics/que_apply_sta.jsp?userid=0&modelname=1&modelname1=2 ``` 成功后如图所示 [<img src="https://images.seebug.org/upload/201405/172031393d938babc69d0267dcc57205cdfa3830.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/172031393d938babc69d0267dcc57205cdfa3830.jpg) 案例SQL注入二： ``` http://xxgk.weifang.gov.cn/xxgk/short_message/que_recemsg.jsp?que_keywords=1&loginid=1&boxtype=1&que_keywords1=1&que_startdate=1&que_enddate=1 ``` 成功后如图所示 [<img src="https://images.seebug.org/upload/201405/172120424148f4eadd0f2507b1e41d6ee5fa0bfb.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/172120424148f4eadd0f2507b1e41d6ee5fa0bfb.jpg) ### 漏洞证明： #4 获取数据测试 [<img src="https://images.seebug.org/upload/201405/17212645a47bf1725caf0a780f26f77450087f36.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/17212645a47bf1725caf0a780f26f77450087f36.jpg)