sql injection exists in Sales Management-Sales Orders-Add-Upload attachments(depotItem/importItemExcel接口存在SQL注入) #111
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
The repetition process of the vulnerability(漏洞的复现过程)
Structure or grab a packet in/depotItem importItemExcel interfaces to upload an excel file
(构造或者抓取一个数据包,在 /depotItem/importItemExcel 接口处上传一个excel文件)
The contents of the "C:\Users\hp\Desktop\test.xls" file are
(其中的"C:\Users\hp\Desktop\test.xls"文件内容为)
'1') oR sleep(0.05)--Sending packets can find that there is a delay in the page
(发送数据包可以发现页面会有延迟)
Change the sleep function time to delay sending changes, indicating that SQL injection exists
(修改sleep函数时间,延迟发送变化,说明存在SQL注入)
Utilization condition(利用条件)
The interface requires login to access, but the code in the project leads to the use of "/jshERP-boot/doc.html/... % 3 b/depotItem/importItemExcel "this url for unauthorized access
(该接口需要登陆后才能访问,但是项目中的代码导致可以使用 "/jshERP-boot/doc.html/..%3b/depotItem/importItemExcel" 这样的url进行未授权访问)
Affected versions, operating systems, and browser information(受影响的版本、操作系统,以及浏览器信息)
The text was updated successfully, but these errors were encountered: