### 简要描述:
一采通电子采购系统多处SQL注入漏洞
### 详细说明:
google:inurl:companycglist.aspx?ComId=*
[<img src="https://images.seebug.org/upload/201506/0117142855aec9a76710d0ce50a0718784845c28.jpg" alt="QQ截图20150601171512.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/0117142855aec9a76710d0ce50a0718784845c28.jpg)
#1 漏洞存在于 /Orders/k3orderdetail.aspx,参数FINTERID
例如 http://eps.umgg.com.cn/Orders/k3orderdetail.aspx?FINTERID=1
[<img src="https://images.seebug.org/upload/201506/011716569310ebf24ad26eec4e6751e58567a748.jpg" alt="QQ截图20150601171735.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/011716569310ebf24ad26eec4e6751e58567a748.jpg)
#2 漏洞存在于 /organization/GetUser_List2.aspx,参数UserName
例如 http://eps.umgg.com.cn/organization/GetUser_List2.aspx?UserName=test
[<img src="https://images.seebug.org/upload/201506/01171830a06b1c5da672d7b04563703e4b74a622.jpg" alt="QQ截图20150601171921.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/01171830a06b1c5da672d7b04563703e4b74a622.jpg)
[<img src="https://images.seebug.org/upload/201506/011719153dbdcd1a9e92b4e34b61c8c15b2743f6.jpg" alt="QQ截图20150601171959.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/011719153dbdcd1a9e92b4e34b61c8c15b2743f6.jpg)
#3 漏洞存在于 /person/InviteList.aspx,参数id
例如 http://eps.umgg.com.cn/person/InviteList.aspx?iType=ZB&comid=1&id=0000
[<img src="https://images.seebug.org/upload/201506/011720317cdae969dc7fd9291e9e2bc4af5a0303.jpg" alt="QQ截图20150601172111.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/011720317cdae969dc7fd9291e9e2bc4af5a0303.jpg)
### 漏洞证明:
其他案例还有
http://116.55.248.65:8001/
http://61.143.243.42:8119/
http://eps.xcmg.com:90/
http://eps.qingxin.com.cn/
http://buy.yongx.net:8080/
http://eps.csrcj.com/
京公网安备 11010502034610号
暂无评论