### 简要描述:
越权+注入。
### 详细说明:
越权可看该系统所有用户(一般不多):
http://www.gansu.gov.cn/jiep/objectbox/selectx_userlist.jsp
[<img src="https://images.seebug.org/upload/201403/04110927ba2b5fe6cbd3f11eed424b42d37f1e61.png" alt="image007.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04110927ba2b5fe6cbd3f11eed424b42d37f1e61.png)
### 漏洞证明:
http://www.gansu.gov.cn/jiep/objectbox/selectx_userlist.jsp?fn_Keywords=test&perm=&cPage=1&tiao=
[<img src="https://images.seebug.org/upload/201403/04110950f940945951ce66d4cec811ead483adfe.png" alt="image009.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04110950f940945951ce66d4cec811ead483adfe.png)
[<img src="https://images.seebug.org/upload/201403/04111003d2d6249e9cf19208d2e1adf76eccfb60.png" alt="image011.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04111003d2d6249e9cf19208d2e1adf76eccfb60.png)
跨库查jis的数据库
[<img src="https://images.seebug.org/upload/201403/04111023b5ddb0dded696586190bf75994be5241.png" alt="image013.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/04111023b5ddb0dded696586190bf75994be5241.png)
京公网安备 11010502034610号
暂无评论