无需登录sql注入泛微集团分权管理(e-cology)(某世界500强企业...

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

### 简要描述: 危害较大,还请官方及时修复并更新到各个用户。 ### 详细说明: 1.先以其众多大客户中的世界500强企业“绿地集团”作为通用性演示: ``` http://**.**.**.**/login/Login.jsp?logintype=1 ``` 注入点就在登陆框,注入参数是:loginid 下面是详情: ``` GET /login/VerifyLogin.jsp?loginfile=%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D41%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=&gopage=&formmethod=get&rnd=&serial=&username=&isie=false&loginid=test&userpassword=11111111111&tokenAuthKey=&islanguid=7&submit= HTTP/1.1 Host: **.**.**.** Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 DNT: 1 Referer: http://**.**.**.**/login/Login.jsp?logintype=1 Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: testBanCookie=test; JSESSIONID=abc3iQFuldczghbq-bz-u ``` 2.泛微集团分权管理demo: ```...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息