Simple Client Management System未授权的注入漏洞

  • A+
所属分类:安全漏洞

0x00简介


    感觉这个是一个比较小众的模版,看了下Fofa搜索的结果,结果只有不多的网站。

    感兴趣的可以自己去分析一下源代码

https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip

0x01:分析与复现


    1、内网搭建查看

Simple Client Management System未授权的注入漏洞

2、首页就是一个登陆框,看下代码

<?php session_start();require_once('dbconnection.php');
//Code for Registration if(isset($_POST['signup'])){ $fname=$_POST['fname']; $lname=$_POST['lname']; $email=$_POST['email']; $password=$_POST['password']; $contact=$_POST['contact']; $enc_password=md5($password); $a=date('Y-m-d'); $msg=mysqli_query($con,"insert into users(fname,lname,email,password,contactno,posting_date) values('$fname','$lname','$email','$enc_password','$contact','$a')");if($msg){ echo "<script>alert('Register successfully');</script>";}}
// Code for login systemif(isset($_POST['login'])){$password=$_POST['password'];$dec_password=md5($password);$useremail=$_POST['uemail'];$ret= mysqli_query($con,"SELECT * FROM users WHERE email='$useremail' and password='$dec_password'");$num=mysqli_fetch_array($ret);if($num>0){$extra="welcome.php";$_SESSION['login']=$_POST['uemail'];$_SESSION['id']=$num['id'];$_SESSION['name']=$num['fname'];$host=$_SERVER['HTTP_HOST'];$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\');header("location:http://$host$uri/$extra");exit();}else{echo "<script>alert('Invalid username or password');</script>";$extra="index.php";$host = $_SERVER['HTTP_HOST'];$uri = rtrim(dirname($_SERVER['PHP_SELF']),'/\');header("location:http://$host$uri/$extra");exit();}}
//Code for Forgot Password
if(isset($_POST['send'])){$row1=mysqli_query($con,"select email,password from users where email='".$_POST['femail']."'");$row2=mysqli_fetch_array($row1);if($row2>0){$email = $row2['email'];$subject = "Information about your password";$password=$row2['password'];$message = "Your password is ".$password;mail($email, $subject, $message, "From: $email");echo "<script>alert('Your Password has been sent Successfully');</script>";}else{echo "<script>alert('Email not register with us');</script>"; }}
?><!DOCTYPE html><html><head><title>Login System</title><link href="css/style.css" rel='stylesheet' type='text/css' /><meta name="viewport" content="width=device-width, initial-scale=1"><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="keywords" content="Elegent Tab Forms,Login Forms,Sign up Forms,Registration Forms,News latter Forms,Elements"./><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLbar, 0); }, false); function hideURLbar(){ window.scrollTo(0,1); } </script></script><script src="js/jquery.min.js"></script><script src="js/easyResponsiveTabs.js" type="text/javascript"></script> <script type="text/javascript"> $(document).ready(function () { $('#horizontalTab').easyResponsiveTabs({ type: 'default', width: 'auto', fit: true }); });</script><link href='http://fonts.lug.ustc.edu.cn/css?family=Source+Sans+Pro:200,400,600,700,200italic,300italic,400italic,600italic|Lora:400,700,400italic,700italic|Raleway:400,500,300,600,700,200,100' rel='stylesheet' type='text/css'><link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous"></head><body><div class="main"> <div class="facts" style="margin-top: 100px;margin-left: 20%;margin-right: 20%;" align="center"> <div class="login"> <h2 style="color: #fff;">Users Login here</h2> <form name="login" action="" method="post"> <input type="text" class="text" name="uemail" value="" placeholder="Enter your registered email" ><a href="#" class=" icon email"></a>
<input type="password" value="" name="password" placeholder="Enter valid password"><a href="#" class=" icon lock"></a>
<div class="p-container" style="margin-right: 48px;"> <div class="submit two"> <input type="submit" name="login" value="LOG IN" > </div> <div class="clear"> </div> </div>
</form> </div> </div> </div>
</body></html>

3、查看其中登陆所需要输入的uemail参数


Simple Client Management System未授权的注入漏洞

Simple Client Management System未授权的注入漏洞

这里没有过滤,跟踪一下 确认一下

Simple Client Management System未授权的注入漏洞

Simple Client Management System未授权的注入漏洞4、直接到dbconnection.php文件

5、再看下dbconnection.php文件

Simple Client Management System未授权的注入漏洞

What???

(黑人抬棺音乐响起)

6、登陆抓包测试

Simple Client Management System未授权的注入漏洞

7、sqlmap 制定参数测试

sqlmap -r /Users/apple/Desktop/log.log --dbs --random-agent -p uemail --flush-session

Simple Client Management System未授权的注入漏洞

最后的跑数据测试

避免误报

Simple Client Management System未授权的注入漏洞

确认无误了

看下权限

Simple Client Management System未授权的注入漏洞

看下管理员的账户密码

Simple Client Management System未授权的注入漏洞


0x02:总结


    1、这个模版比较简单,我也是萌新,分析有错的话,大佬勿喷

    2、在这个EXP满天飞的时代,想真的学习的话,还真的需要看下漏洞的原理的。

    3、我是萌新,我今天下午1点30分23秒才学习的网络安全,大佬们带带我。


Simple Client Management System未授权的注入漏洞

扫码二维码

获取更多精彩

洛米唯熊

Simple Client Management System未授权的注入漏洞





点个在看 你最好看



Simple Client Management System未授权的注入漏洞

本文始发于微信公众号(洛米唯熊):Simple Client Management System未授权的注入漏洞

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: