CVE-2022-45564: exp/Injected by Shanghai Zhuangmeng Information Technology Co., Ltd.md at main · Cat-6/exp

Asset Fingerprint

Home improvement ERP management system fofa grammar(https://fofa.info/)： body="版权所有：上海装盟信息科技有限公司 400-021-8611"

First

Due to the irregular settings of some webmasters, I obtained some source code and conducted a code audit on it. The cms is not open source, so I can only give some targeted source code

As shown in the figure, in lines 169-199, the parameter “userCode” is not filtered, and SQL is directly spliced and executed, resulting in SQL injection

Later, I found out that the manufacturer that sells the CMS also has this kind of problem

page as shown

process

There is an account login interface on the web side, and there are no loopholes in the normal test. We found that there is a WeChat applet in the scan code login

Then I found a small program on the mobile phone through WeChat search

There is also login on the mobile terminal, and the WeChat applet is captured through the triple linkage of charles+proxifier+burpsuite

http://zminfo.erpjz.com:80/WEB_SERVICE/WeChatAPI_ERPMobile.ashx?type=LoginIndex&userCode=admin’;WAITFOR DELAY '0:0:5’–&passWord=1

single quotes inject

It is found that the address of this applet is the same as the address of the web side, and the path is directly spliced

Manual injection

Through sqlmap a lock dba permission osshell, whoami direct sys permission