Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

列表json中的参数 没有检测出sql注入 #1714

Open
libb-test123 opened this issue Feb 20, 2023 · 3 comments
Open

列表json中的参数 没有检测出sql注入 #1714

libb-test123 opened this issue Feb 20, 2023 · 3 comments
Labels
freeze 搁置一下

Comments

@libb-test123
Copy link

发现没有在列表值中注入探测点,所以这部分sql注入没有发现
通过burpsuite和sqlmap是能够发现该问题的
image
@Jarcis-cy
Copy link
Collaborator

此处应该是能检测出来的,方便说下payload或者提供一下测试站点吗?

@libb-test123
Copy link
Author

这个是xray跑出来的结果
image
下面是使用sqlmap扫描排除的结果(burp suite也扫描出来了)
image

sqlmap的日志如下:
sqlmap identified the following injection point(s) with a total of 426 HTTP(s) requests:

Parameter: JSON #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: {"userIds":["n1ddae22de4f74f8993e83c6' RLIKE (SELECT (CASE WHEN (5473=5473) THEN 0x6e3164646165323264653466373466383939336538336336 ELSE 0x28 END)) AND 'IlcB'='IlcB"],"uGroupIds":[],"privilegeName":"READER","resourceId":"p7a63bcf493fb49c4959633c","resourceType":"data-source"}

Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: {"userIds":["n1ddae22de4f74f8993e83c6' AND EXTRACTVALUE(9553,CONCAT(0x5c,0x7178707a71,(SELECT (ELT(9553=9553,1))),0x7178706271)) AND 'ubrK'='ubrK"],"uGroupIds":[],"privilegeName":"READER","resourceId":"p7a63bcf493fb49c4959633c","resourceType":"data-source"}

Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: {"userIds":["n1ddae22de4f74f8993e83c6' RLIKE SLEEP(5) AND 'NkVF'='NkVF"],"uGroupIds":[],"privilegeName":"READER","resourceId":"p7a63bcf493fb49c4959633c","resourceType":"data-source"}

@Jarcis-cy Jarcis-cy added the freeze 搁置一下 label Mar 15, 2023
@Jarcis-cy
Copy link
Collaborator

了解了,这个是因为当前xray对于json的解析深度限制导致的,后面我们会优化一下这个问题,感谢反馈!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
freeze 搁置一下
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jarcis-cy @libb-test123